The problem is simple: how to preserve PATH and LD_LIBRARY_PATH when running a program via sudo. But when I tried to find a workaround, I was totally confused by related stuff. So I keep a record as clear as possible to help myself.
1.
Topic: How to set environment variables
Source: man sudo, section OPTIONS
Details:
Environment variables to be set for the command may also be passed on the command line in the form of VAR=value,
e.g. LD_LIBRARY_PATH=/usr/local/pkg/lib. Variables passed on the command line are subject to the same restric‐
tions as normal environment variables with one important exception. If the setenv option is set in sudoers, the
command to be run has the SETENV tag set or the command matched is ALL, the user may set variables that would
overwise be forbidden. See sudoers(5) for more information.
2.
Topic: About LD_LIBRARY_PATH
Source: man sudo, section SECURITY NOTES
Details:
Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from
the environment of setuid executables, including sudo. Depending on the operating system this may include _RLD*,
DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others. These type of variables are removed from the environment
before sudo even begins execution and, as such, it is not possible for sudo to preserve them.
3.
Topic: env_reset
Source: man sudo, section SUDOERS OPTIONS
Details:
env_reset If set, sudo will reset the environment to only contain the LOGNAME, SHELL, USER, USERNAME and the
SUDO_* variables. Any variables in the caller’s environment that match the env_keep and env_check
lists are then added. The default contents of the env_keep and env_check lists are displayed when
sudo is run by root with the -V option. If sudo was compiled with the SECURE_PATH option, its
value will be used for the PATH environment variable. This flag is on by default.
4.
Topic: Handling environment variables against env_reset
Source: man sudo, section SECURITY NOTES
Details:
There are two distinct ways to deal with environment variables. By default, the env_reset sudoers option is
enabled. This causes commands to be executed with a minimal environment containing TERM, PATH, HOME, SHELL, LOG‐
NAME, USER and USERNAME in addition to variables from the invoking process permitted by the env_check and env_keep
sudoers options. There is effectively a whitelist for environment variables.
If, however, the env_reset option is disabled in sudoers, any variables not explicitly denied by the env_check and
env_delete options are inherited from the invoking process. In this case, env_check and env_delete behave like a
blacklist. Since it is not possible to blacklist all potentially dangerous environment variables, use of the
default env_reset behavior is encouraged.
My workaround is as follows:
cd /usr/local/bin; sudo ln -s
sudo LD_LIBRARY_PATH= my_executable
阅读(742) | 评论(0) | 转发(0) |