Bug 459

Summary: !env_reset and env_keep are mutually exclusive
Product: Sudo Reporter: chesneyb
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.7.4   
Hardware: Sun   
OS: Solaris 2.x   

Description chesneyb 2010-12-30 12:04:37 MST 
If I implement

Default !env_reset
and 
Defaults env_keep += PERL5LIB

The env_keep statement does not work.
If I do env_keep and do not use !env_reset, env_keep works.
Although many will immediately complain about the security issues ref using PERL5LIB in this manner, I can only suggest that security is not the problem here.  The problem is that for specific scenarios, we can not use !env_reset and env_keep at the same time in order to pass specific variables through.  Let the Admin worry about the security, please allow the feature.

Am I correct in assuming that this is a bug?
Comment 1 Todd C. Miller 2011-01-28 16:26:50 MST 
env_keep is only intended to be used in conjunction with env_reset.  For the !env_reset case you can remove items from the env_delete blacklist instead.  E.g.

Defaults !env_reset
Defaults env_delete -= "PERL5LIB"