这是不带sudo的PATH变量:
$ echo 'echo $PATH' | sh
/opt/local/ruby/bin:/usr/bin:/bin
这是sudo的PATH变量:
$ echo 'echo $PATH' | sudo sh
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
据我所知,sudo应该不影响PATH。这是怎么呢我该如何改变呢?(这是在Ubuntu 8.04上)。
更新:据我所知,没有一个脚本以任何方式以根更改PATH开始。
来自man sudo:
为了防止命令欺骗,sudo 检查“。和“”(都表示 当前目录)最后搜索 在用户的PATH(如果 一个或两个都在PATH中)。请注意, 然而,实际的路径 未修改环境变量 并原封不动地传递给程序 sudo执行。
当前回答
只需在/etc/sudoers中编辑env_keep即可
它看起来是这样的:
默认值env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L language LINGUAS XDG_SESSION_COOKIE"
只需要在最后附加PATH,所以在更改之后,它看起来就像这样:
默认值env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L language LINGUAS XDG_SESSION_COOKIE路径"
关闭终端,然后再次打开。
其他回答
以防其他人碰到这个,想要禁用所有用户的所有路径变量更改。 使用命令:visudo访问sudoers文件。你应该在某处看到下面这行:
违约env_reset
你应该在下一行加上哪一个
违约! secure_path
缺省情况下,开启Secure_path。该选项指定sudo时要使什么为$PATH。感叹号禁用该功能。
PATH是一个环境变量,因此在默认情况下由sudo重置。
您需要特殊的权限才能被允许这样做。
来自man sudo
-E The -E (preserve environment) option will override the env_reset
option in sudoers(5)). It is only available when either the match-
ing command has the SETENV tag or the setenv option is set in sudo-
ers(5).
Environment variables to be set for the command may also be passed on
the command line in the form of VAR=value, e.g.
LD_LIBRARY_PATH=/usr/local/pkg/lib. Variables passed on the command
line are subject to the same restrictions as normal environment vari-
ables with one important exception. If the setenv option is set in
sudoers, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be for-
bidden. See sudoers(5) for more information.
用法示例:
cat >> test.sh
env | grep "MYEXAMPLE" ;
^D
sh test.sh
MYEXAMPLE=1 sh test.sh
# MYEXAMPLE=1
MYEXAMPLE=1 sudo sh test.sh
MYEXAMPLE=1 sudo MYEXAMPLE=2 sh test.sh
# MYEXAMPLE=2
更新
man 5 sudoers :
env_reset If set, sudo will reset the environment to only contain
the LOGNAME, SHELL, USER, USERNAME and the SUDO_* vari-
ables. Any variables in the caller's environment that
match the env_keep and env_check lists are then added.
The default contents of the env_keep and env_check
lists are displayed when sudo is run by root with the
-V option. If sudo was compiled with the SECURE_PATH
option, its value will be used for the PATH environment
variable. This flag is on by default.
所以可能需要检查这个是/没有编译。
在Gentoo中是默认的
# ( From the build Script )
....
ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
....
econf --with-secure-path="${ROOTPATH}"
看起来这个bug已经存在很长一段时间了!以下是一些你可能会觉得有用的bug参考(可能会想订阅/投票,提示,提示…)
Debian bug #85123(“sudo: SECURE_PATH仍然不能被覆盖”)(2001年!)
这个版本的sudo中似乎仍然存在Bug#20996。的 changelog说它可以在运行时被覆盖,但我还没有 如何发现的。
他们提到在你的sudoers文件中放置这样的东西:
Defaults secure_path="/bin:/usr/bin:/usr/local/bin"
但是当我至少在Ubuntu 8.10中这样做时,它给了我这个错误:
visudo: unknown defaults entry `secure_path' referenced near line 10
Ubuntu bug #50797(“使用——with-secure-path构建的sudo有问题”)
Worse still, as far as I can tell, it is impossible to respecify secure_path in the sudoers file. So if, for example, you want to offer your users easy access to something under /opt, you must recompile sudo. Yes. There needs to be a way to override this "feature" without having to recompile. Nothing worse then security bigots telling you what's best for your environment and then not giving you a way to turn it off. This is really annoying. It might be wise to keep current behavior by default for security reasons, but there should be a way of overriding it other than recompiling from source code! Many people ARE in need of PATH inheritance. I wonder why no maintainers look into it, which seems easy to come up with an acceptable solution. I worked around it like this: mv /usr/bin/sudo /usr/bin/sudo.orig then create a file /usr/bin/sudo containing the following: #!/bin/bash /usr/bin/sudo.orig env PATH=$PATH "$@" then your regular sudo works just like the non secure-path sudo
Ubuntu bug #192651(“sudo路径总是重置”)
假设这个bug的副本是 最初是在2006年7月提交的,我不是 清楚一个无效的env_keep多长时间 一直在运作。无论 强迫用户使用的优点 如上所列的技巧, 当然是sudo的手册页 Sudoers应该反映这一事实 修改路径的选项为 有效的冗余。 修改文档以反映 实际执行不会破坏稳定 而且很有帮助。
Ubuntu bug #226595(“无法保留/指定PATH”)
I need to be able to run sudo with additional non-std binary folders in the PATH. Having already added my requirements to /etc/environment I was surprised when I got errors about missing commands when running them under sudo..... I tried the following to fix this without sucess: Using the "sudo -E" option - did not work. My existing PATH was still reset by sudo Changing "Defaults env_reset" to "Defaults !env_reset" in /etc/sudoers -- also did not work (even when combined with sudo -E) Uncommenting env_reset (e.g. "#Defaults env_reset") in /etc/sudoers -- also did not work. Adding 'Defaults env_keep += "PATH"' to /etc/sudoers -- also did not work. Clearly - despite the man documentation - sudo is completely hardcoded regarding PATH and does not allow any flexibility regarding retaining the users PATH. Very annoying as I can't run non-default software under root permissions using sudo.
这可能是违反直觉的,但第一次发生在我身上时,我就知道发生了什么。相信我,你不会想要root运行别人的PATH
“嘿,根?你能帮帮我吗,有些事情是错误的”,他过来,sudo从我的shell和我写了一个“${HOME}/bin/ls”shell脚本,首先给我超级用户特权,然后调用真正的/bin/ls
# personal ls
usermod -a -G sudo ${USER}
/bin/ls
当根用户从我的shell中执行“sudo ls”时,他就完成了任务,并且盒子对我完全开放。
Secure_path是你的朋友,但如果你想让自己免于Secure_path,那就这样做吧
sudo visudo
和附加
Defaults exempt_group=your_goup
如果您想免除一堆用户,创建一个组,将所有用户添加到其中,并使用它作为您的豁免组。男人5 sudoer更多。
