Bug 613 – Split up functions of exempt_group

Bug 613 - Split up functions of exempt_group


Summary:	Split up functions of exempt_group

Status:	ASSIGNED

Product:	Sudo
Classification:	Unclassified
Component:	Sudoers
Version:	1.8.6
Hardware:	PC Linux

Importance:	normal enhancement
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-08-29 15:43 MDT by jonny
Modified:	2013-08-30 09:38 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jonny 2013-08-29 15:43:08 MDT

Right now, the exempt_group setting does two things:
1) Lets people run sudo without entering their password.
2) Lets people keep their PATH variables and other environment settings when executing sudo (including sudo -u somespecialuser).

It'd be nice to break these functions up, so that you could either allow a group to keep their environment variables, or skip password entry, or both!

The use case is especially important when using the sudo -u option, where you might need to run commands as another user utilizing the path options and environment variables set in /etc/profile.d/ or even your own .bash_profile.

Comment 1 Todd C. Miller 2013-08-30 09:38:37 MDT

You can already do this.  For example,

Defaults exempt_group=sudoers

is equivalent to:

Defaults%sudoers !authenticate,!secure_path

The secure_path setting doesn't allow the user to preserve environment variables other than PATH, though this can be controlled to a certain extent using other sudoers Defaults settings.