Bug 613

Summary: Split up functions of exempt_group
Product: Sudo Reporter: jonny <jonteh1337>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: ASSIGNED ---    
Severity: enhancement    
Priority: normal    
Version: 1.8.6   
Hardware: PC   
OS: Linux   

Description jonny 2013-08-29 15:43:08 MDT 
Right now, the exempt_group setting does two things:
1) Lets people run sudo without entering their password.
2) Lets people keep their PATH variables and other environment settings when executing sudo (including sudo -u somespecialuser).

It'd be nice to break these functions up, so that you could either allow a group to keep their environment variables, or skip password entry, or both!

The use case is especially important when using the sudo -u option, where you might need to run commands as another user utilizing the path options and environment variables set in /etc/profile.d/ or even your own .bash_profile.
Comment 1 Todd C. Miller 2013-08-30 09:38:37 MDT 
You can already do this.  For example,

Defaults exempt_group=sudoers

is equivalent to:

Defaults%sudoers !authenticate,!secure_path

The secure_path setting doesn't allow the user to preserve environment variables other than PATH, though this can be controlled to a certain extent using other sudoers Defaults settings.