The sudo manpage tells me, that I can preserve the environment by passing the -E
option, which does not work in the case of $TMPDIR
:
> env | grep TMPDIR
TMPDIR=/localdata/tmp
> sudo env | grep TMPDIR
[no output]
> sudo -E env | grep TMPDIR
[no output]
This option is not blacklisted, that is sudo sudo -V
doesn't list it as "Environment variables to remove". Following the approach proposed in an answer the the question "How to specify root's environment variables", I tried to whitelist it, that is my /etc/sudoers
reads:
Defaults env_reset
Defaults env_keep = "TMPDIR"
This doesn't work neither, it actually doesn't even make TMPDIR
appear in the whitelist (that is, what “sudo sudo -V` prints as "Environment variables to preserve".
(I'm running Ubuntu 10.04.)
Best Answer
It looks like glibc will remove certain environment variables when running setuid programs (
sudo
is, of course, setuid). TMPDIR is one of these environment variables, although it doesn't seem to be documented anywhere. This is a security feature to prevent setuid programs from having their environments altered to allow for malicious reading/writing of file data.If you want
TMPDIR
in your sudo environment, you can pass it explicitly: