Sudo does not preserve TMPDIR

environment-variablessudotmp

The sudo manpage tells me, that I can preserve the environment by passing the -E option, which does not work in the case of $TMPDIR:

> env | grep TMPDIR
TMPDIR=/localdata/tmp
> sudo env | grep TMPDIR
[no output]
> sudo -E env | grep TMPDIR
[no output]

This option is not blacklisted, that is sudo sudo -V doesn't list it as "Environment variables to remove". Following the approach proposed in an answer the the question "How to specify root's environment variables", I tried to whitelist it, that is my /etc/sudoers reads:

Defaults        env_reset
Defaults        env_keep = "TMPDIR"

This doesn't work neither, it actually doesn't even make TMPDIR appear in the whitelist (that is, what “sudo sudo -V` prints as "Environment variables to preserve".

(I'm running Ubuntu 10.04.)

Best Answer

It looks like glibc will remove certain environment variables when running setuid programs (sudo is, of course, setuid). TMPDIR is one of these environment variables, although it doesn't seem to be documented anywhere. This is a security feature to prevent setuid programs from having their environments altered to allow for malicious reading/writing of file data.

Reference: ld.so clears TMPDIR for setuid programs
Reference: TMPDIR ignored when setuid for dumpcap

If you want TMPDIR in your sudo environment, you can pass it explicitly:

sudo TMPDIR=$TMPDIR env

Related Solutions

Linux – Why does sudo command take long to execute

I asked this question over on SO and it got moved here. That said I no longer have the ability to edit the question as if I owned it, or even accept the correct answer, but this turned out to be the true reason why and how to solve it:

Found here User "rohandhruva" on there gives the right answer:

This happens if you change the hostname during the install process.

To solve the problem, edit the file /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 <ADD_YOURS_HERE> 
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 <ADD_YOURS_HERE>

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Related Solutions

Linux – Why does sudo command take long to execute

Ssh-agent forwarding and sudo to another user

Related Topic