isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Document the interaction between sudoers environment handling and

Browse Source 
the pam_env module.
This commit is contained in:
Todd C. Miller
2014-08-11 11:23:16 -06:00
parent c49ca1d315
commit 2d22d0dca8
3 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
doc/sudoers.cat
View File

@@ -148,6 +148,16 @@ DDEESSCCRRIIPPTTIIOONN
The list of environment variables that ssuuddoo allows or denies is contained The list of environment variables that ssuuddoo allows or denies is contained
in the output of ``sudo -V'' when run as root. in the output of ``sudo -V'' when run as root.
On systems that support PAM where the ppaamm__eennvv module is enabled for ssuuddoo,
variables in the PAM environment may be merged in to the environment. If
a variable in the PAM environment is already present in the user's
environment, the value will only be overridden if the variable was not
preserved by ssuuddooeerrss.. When _e_n_v___r_e_s_e_t is enabled, variables preserved from
the invoking user's environment by the _e_n_v___k_e_e_p list take precedence over
those in the PAM environment. When _e_n_v___r_e_s_e_t is disabled, variables
present the invoking user's environment take precedence over those in the
PAM environment unless they match a pattern in the _e_n_v___d_e_l_e_t_e list.
Note that the dynamic linker on most operating systems will remove Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of setuid variables that can control dynamic linking from the environment of setuid
executables, including ssuuddoo. Depending on the operating system this may executables, including ssuuddoo. Depending on the operating system this may

23
doc/sudoers.man.in
View File

@@ -365,6 +365,29 @@ contained in the output of
\(lq\fRsudo -V\fR\(rq \(lq\fRsudo -V\fR\(rq
when run as root. when run as root.
.PP .PP
On systems that support PAM where the
\fBpam_env\fR
module is enabled for
\fBsudo\fR,
variables in the PAM environment may be merged in to the environment.
If a variable in the PAM environment is already present in the
user's environment, the value will only be overridden if the variable
was not preserved by
\fBsudoers.\fR
When
\fIenv_reset\fR
is enabled, variables preserved from the invoking user's environment
by the
\fIenv_keep\fR
list take precedence over those in the PAM environment.
When
\fIenv_reset\fR
is disabled, variables present the invoking user's environment
take precedence over those in the PAM environment unless they
match a pattern in the
\fIenv_delete\fR
list.
.PP
Note that the dynamic linker on most operating systems will remove Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of variables that can control dynamic linking from the environment of
setuid executables, including setuid executables, including

23
doc/sudoers.mdoc.in
View File

@@ -351,6 +351,29 @@ contained in the output of
.Dq Li sudo -V .Dq Li sudo -V
when run as root. when run as root.
.Pp .Pp
On systems that support PAM where the
.Sy pam_env
module is enabled for
.Nm sudo ,
variables in the PAM environment may be merged in to the environment.
If a variable in the PAM environment is already present in the
user's environment, the value will only be overridden if the variable
was not preserved by
.Nm sudoers.
When
.Em env_reset
is enabled, variables preserved from the invoking user's environment
by the
.Em env_keep
list take precedence over those in the PAM environment.
When
.Em env_reset
is disabled, variables present the invoking user's environment
take precedence over those in the PAM environment unless they
match a pattern in the
.Em env_delete
list.
.Pp
Note that the dynamic linker on most operating systems will remove Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of variables that can control dynamic linking from the environment of
setuid executables, including setuid executables, including