230  

This is an annoying function a feature of sudo on many distributions.

这是一个烦人的功能,是许多发行版上sudo的一个特性。

To work around this "problem" on ubuntu I do the following in my ~/.bashrc

要在ubuntu上解决这个“问题”,我在〜/ .bashrc中执行以下操作

alias sudo='sudo env PATH=$PATH'

Note the above will work for commands that don't reset the $PATH themselves. However `su' resets it's $PATH so you must use -p to tell it not to. I.E.:

请注意,上述内容适用于不重置$ PATH的命令。但是`su'重置它的$ PATH所以你必须使用-p告诉它不要。即:

sudo su -p

113  

In case someone else runs accross this and wants to just disable all path variable changing for all users.
Access your sudoers file by using the command:visudo. You should see the following line somewhere:

如果其他人在此处运行,并且想要禁用所有用户的所有路径变量更改。使用以下命令访问您的sudoers文件:visudo。您应该在某处看到以下行:

Defaults env_reset

which you should add the following on the next line

你应该在下一行添加以下内容

Defaults !secure_path

secure_path is enabled by default. This option specifies what to make $PATH when sudoing. The exclamation mark disables the feature.

secure_path默认启用。此选项指定在sudoing时使$ PATH成为什么。感叹号禁用该功能。

31  

PATH is an environment variable, and as such is by default reset by sudo.

PATH是一个环境变量,因此默认情况下由sudo重置。

You need special permissions to be permitted to do this.

您需要特殊权限才能执行此操作。

From man sudo

来自man sudo

       -E  The -E (preserve environment) option will override the env_reset
           option in sudoers(5)).  It is only available when either the match-
           ing command has the SETENV tag or the setenv option is set in sudo-
           ers(5).

       Environment variables to be set for the command may also be passed on
       the command line in the form of VAR=value, e.g.
       LD_LIBRARY_PATH=/usr/local/pkg/lib.  Variables passed on the command
       line are subject to the same restrictions as normal environment vari-
       ables with one important exception.  If the setenv option is set in
       sudoers, the command to be run has the SETENV tag set or the command
       matched is ALL, the user may set variables that would overwise be for-
       bidden.  See sudoers(5) for more information.

An Example of usage:

用法示例:

cat >> test.sh
env | grep "MYEXAMPLE" ;
^D

sh test.sh 
MYEXAMPLE=1 sh test.sh
# MYEXAMPLE=1
MYEXAMPLE=1 sudo sh test.sh 
MYEXAMPLE=1 sudo MYEXAMPLE=2 sh test.sh 
# MYEXAMPLE=2

update

man 5 sudoers : 

     env_reset       If set, sudo will reset the environment to only contain
                       the LOGNAME, SHELL, USER, USERNAME and the SUDO_* vari-
                       ables.  Any variables in the caller's environment that
                       match the env_keep and env_check lists are then added.
                       The default contents of the env_keep and env_check
                       lists are displayed when sudo is run by root with the
                       -V option.  If sudo was compiled with the SECURE_PATH
                       option, its value will be used for the PATH environment
                       variable.  This flag is on by default.

So may need to check that this is/is not compiled in.

因此可能需要检查是否已编译。

It is by default in Gentoo

默认情况下,它是Gentoo

# ( From the build Script )
....
ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
....
econf --with-secure-path="${ROOTPATH}" 

17  

Looks like this bug has been around for quite a while! Here are some bug references you may find helpful (and may want to subscribe to / vote up, hint, hint...):

看起来这个bug已经存在了很长一段时间!以下是您可能会发现有用的一些错误参考(并且可能想要订阅/投票,提示,提示......):

Debian bug #85123 ("sudo: SECURE_PATH still can't be overridden") (from 2001!)

Debian bug#85123(“sudo:SECURE_PATH仍然无法覆盖”)(从2001年开始!)

It seems that Bug#20996 is still present in this version of sudo. The changelog says that it can be overridden at runtime but I haven't yet discovered how.

似乎Bug#20996仍然出现在这个版本的sudo中。更改日志说它可以在运行时被覆盖但我还没有发现如何。

They mention putting something like this in your sudoers file:

他们提到在你的sudoers文件中放置这样的东西:

Defaults secure_path="/bin:/usr/bin:/usr/local/bin"

but when I do that in Ubuntu 8.10 at least, it gives me this error:

但是当我至少在Ubuntu 8.10中这样做时,它给了我这个错误:

visudo: unknown defaults entry `secure_path' referenced near line 10

Ubuntu bug #50797 ("sudo built with --with-secure-path is problematic")

Ubuntu bug#50797(“sudo用--with-secure-path构建是有问题的”)

Worse still, as far as I can tell, it is impossible to respecify secure_path in the sudoers file. So if, for example, you want to offer your users easy access to something under /opt, you must recompile sudo.

更糟糕的是,据我所知,在sudoers文件中重新指定secure_path是不可能的。因此,例如,如果您想让用户轻松访问/ opt下的某些内容,则必须重新编译sudo。

---

Yes. There needs to be a way to override this "feature" without having to recompile. Nothing worse then security bigots telling you what's best for your environment and then not giving you a way to turn it off.

是。需要有一种方法来覆盖这个“功能”而无需重新编译。没有什么比安全偏执者告诉你什么对你的环境最好,然后没有给你一个方法来关闭它更糟糕。

---

This is really annoying. It might be wise to keep current behavior by default for security reasons, but there should be a way of overriding it other than recompiling from source code! Many people ARE in need of PATH inheritance. I wonder why no maintainers look into it, which seems easy to come up with an acceptable solution.

这真的很烦人。出于安全原因,默认情况下保持当前行为可能是明智的,但除了从源代码重新编译之外,应该有一种覆盖它的方法!很多人都需要PATH继承。我想知道为什么没有维护人员对它进行研究,这似乎很容易找到一个可接受的解决方案。

---

I worked around it like this:

我像这样工作:

mv /usr/bin/sudo /usr/bin/sudo.orig

then create a file /usr/bin/sudo containing the following:

然后创建一个包含以下内容的文件/ usr / bin / sudo:

#!/bin/bash
/usr/bin/sudo.orig env PATH=$PATH "$@"

then your regular sudo works just like the non secure-path sudo

然后你的常规sudo就像非安全路径sudo一样工作

Ubuntu bug #192651 ("sudo path is always reset")

Ubuntu bug#192651(“sudo path is always reset”)

Given that a duplicate of this bug was originally filed in July 2006, I'm not clear how long an ineffectual env_keep has been in operation. Whatever the merits of forcing users to employ tricks such as that listed above, surely the man pages for sudo and sudoers should reflect the fact that options to modify the PATH are effectively redundant.

鉴于此错误的副本最初是在2006年7月提交的,我不清楚无效的env_keep在运行多长时间。无论强迫用户使用如上所列的技巧的优点,sudo和sudoers的手册页肯定会反映出修改PATH的选项实际上是多余的这一事实。

Modifying documentation to reflect actual execution is non destabilising and very helpful.

修改文档以反映实际执行不会造成不稳定并且非常有用。

Ubuntu bug #226595 ("impossible to retain/specify PATH")

Ubuntu bug#226595(“不可能保留/指定路径”)

I need to be able to run sudo with additional non-std binary folders in the PATH. Having already added my requirements to /etc/environment I was surprised when I got errors about missing commands when running them under sudo.....

我需要能够在PATH中运行带有其他非std二进制文件夹的sudo。已经在/ etc / environment中添加了我的需求,当我在sudo下运行它们时遇到错误的命令时,我感到很惊讶.....

I tried the following to fix this without sucess:

我试过以下修复这个没有成功:

1. Using the "sudo -E" option - did not work. My existing PATH was still reset by sudo

   使用“sudo -E”选项 - 不起作用。我现有的PATH仍然被sudo重置

2. Changing "Defaults env_reset" to "Defaults !env_reset" in /etc/sudoers -- also did not work (even when combined with sudo -E)

   在/ etc / sudoers中将“Defaults env_reset”更改为“Defaults!env_reset” - 也不起作用(即使与sudo -E结合使用)

3. Uncommenting env_reset (e.g. "#Defaults env_reset") in /etc/sudoers -- also did not work.

   在/ etc / sudoers中取消注释env_reset(例如“#Defaults env_reset”) - 也不起作用。

4. Adding 'Defaults env_keep += "PATH"' to /etc/sudoers -- also did not work.

   将'Defaults env_keep + =“PATH”'添加到/ etc / sudoers - 也无法正常工作。

Clearly - despite the man documentation - sudo is completely hardcoded regarding PATH and does not allow any flexibility regarding retaining the users PATH. Very annoying as I can't run non-default software under root permissions using sudo.

显然 - 尽管有man文档 - sudo完全是关于PATH的硬编码,并且不允许保留用户PATH的任何灵活性。非常烦人,因为我无法使用sudo在root权限下运行非默认软件。

13  

This seemed to work for me

这似乎对我有用

sudo -i 

which takes on the non-sudo PATH

它采用非sudo PATH

10  

I think it is in fact desirable to have sudo reset the PATH: otherwise an attacker having compromised your user account could put backdoored versions of all kinds of tools on your users' PATH, and they would be executed when using sudo.

我认为让sudo重置PATH实际上是可取的:否则攻击者破坏了你的用户帐户可能会在用户的PATH上放置各种工具的后门版本,并且在使用sudo时会执行它们。

(of course having sudo reset the PATH is not a complete solution to these kinds of problems, but it helps)

(当然让sudo重置PATH并不是解决这些问题的完整解决方案,但它有帮助)

This is indeed what happens when you use

这确实是你使用时会发生的事情

Defaults env_reset

in /etc/sudoers without using exempt_group or env_keep.

在/ etc / sudoers中,不使用exempt_group或env_keep。

This is also convenient because you can add directories that are only useful for root (such as /sbin and /usr/sbin) to the sudo path without adding them to your users' paths. To specify the path to be used by sudo:

这也很方便,因为您可以将只对root用户有用的目录(例如/ sbin和/ usr / sbin)添加到sudo路径,而不将它们添加到用户的路径中。要指定sudo使用的路径:

Defaults secure_path="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin"

7  

Works now using sudo from the karmic repositories. Details from my configuration:

现在使用来自业力存储库的sudo。我配置的详细信息:

root@sphinx:~# cat /etc/sudoers | grep -v -e '^$' -e '^#'
Defaults    env_reset
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/grub-1.96/sbin:/opt/grub-1.96/bin"
root    ALL=(ALL) ALL
%admin ALL=(ALL) ALL
root@sphinx:~# cat /etc/apt/sources.list
deb http://au.archive.ubuntu.com/ubuntu/ jaunty main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ jaunty main restricted universe

deb http://au.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe

deb http://security.ubuntu.com/ubuntu jaunty-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu jaunty-security main restricted universe

deb http://au.archive.ubuntu.com/ubuntu/ karmic main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ karmic main restricted universe

deb http://au.archive.ubuntu.com/ubuntu/ karmic-updates main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ karmic-updates main restricted universe

deb http://security.ubuntu.com/ubuntu karmic-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu karmic-security main restricted universe
root@sphinx:~# 

root@sphinx:~# cat /etc/apt/preferences 
Package: sudo
Pin: release a=karmic-security
Pin-Priority: 990

Package: sudo
Pin: release a=karmic-updates
Pin-Priority: 960

Package: sudo
Pin: release a=karmic
Pin-Priority: 930

Package: *
Pin: release a=jaunty-security
Pin-Priority: 900

Package: *
Pin: release a=jaunty-updates
Pin-Priority: 700

Package: *
Pin: release a=jaunty
Pin-Priority: 500

Package: *
Pin: release a=karmic-security
Pin-Priority: 450

Package: *
Pin: release a=karmic-updates
Pin-Priority: 250

Package: *
Pin: release a=karmic
Pin-Priority: 50
root@sphinx:~# apt-cache policy sudo
sudo:
  Installed: 1.7.0-1ubuntu2
  Candidate: 1.7.0-1ubuntu2
  Package pin: 1.7.0-1ubuntu2
  Version table:
 *** 1.7.0-1ubuntu2 930
         50 http://au.archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status
     1.6.9p17-1ubuntu3 930
        500 http://au.archive.ubuntu.com jaunty/main Packages
root@sphinx:~# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/grub-1.96/sbin:/opt/grub-1.96/bin
root@sphinx:~# exit
exit
abolte@sphinx:~$ echo $PATH
/home/abolte/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/grub-1.96/sbin:/opt/grub-1.96/bin:/opt/chromium-17593:/opt/grub-1.96/sbin:/opt/grub-1.96/bin:/opt/xpra-0.0.6/bin
abolte@sphinx:~$ 

It's wonderful to finally have this solved without using a hack.

在不使用黑客的情况下最终解决这个问题真是太好了。

4  

# cat .bash_profile | grep PATH
PATH=$HOME/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
export PATH

# cat /etc/sudoers | grep Defaults
Defaults    requiretty
Defaults    env_reset
Defaults    env_keep = "SOME_PARAM1 SOME_PARAM2 ... PATH"

3  

Just comment out "Defaults env_reset" in /etc/sudoers

只需在/ etc / sudoers中注释掉“Defaults env_reset”

3  

Just edit env_keep in /etc/sudoers

只需在/ etc / sudoers中编辑env_keep

It looks something like this:

它看起来像这样:

Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L ANGUAGE LINGUAS XDG_SESSION_COOKIE"

默认值env_keep =“LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L ANGUAGE LINGUAS XDG_SESSION_COOKIE”

Just append PATH at the end, so after the change it would look like this:

只需在最后添加PATH,所以在更改后它将如下所示:

Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L ANGUAGE LINGUAS XDG_SESSION_COOKIE PATH"

默认值env_keep =“LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L ANGUAGE LINGUAS XDG_SESSION_COOKIE PATH”

Close the terminal and then open again.

关闭终端然后再打开。

2  

Secure_path is your friend, but if you want to exempt yourself from secure_path just do

Secure_path是你的朋友,但如果你想从secure_path中豁免,那就行了

sudo visudo

And append

Defaults exempt_group=your_goup

If you want to exempt a bunch of users create a group, add all the users to it, and use that as your exempt_group. man 5 sudoers for more.

如果您想免除一大堆用户创建一个组,请将所有用户添加到该组中,并将其用作您的exempt_group。 man 5 sudoers for more。

1  

the recommended solution in the comments on the OpenSUSE distro suggests to change:

OpenSUSE发行版评论中推荐的解决方案建议更改:

Defaults env_reset

to:

Defaults !env_reset

and then presumably to comment out the following line which isn't needed:

然后可能会注释掉以下不需要的行:

Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE    MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L    ANGUAGE LINGUAS XDG_SESSION_COOKIE"

1  

comment out both "Default env_reset" and "Default secure_path ..." in /etc/sudores file works for me

注释掉/ etc / sudores文件中的“Default env_reset”和“Default secure_path ...”对我有用

1  

You can also move your file in a sudoers used directory :

您还可以在sudoers used目录中移动文件:

    sudo mv $HOME/bash/script.sh /usr/sbin/ 

0  

Er, it's not really a test if you don't add something to your path:

呃,如果你不在你的路径上添加一些东西,那真的不是一个考验:

bill@bill-desktop:~$ ls -l /opt/pkg/bin
total 12
-rwxr-xr-x 1 root root   28 2009-01-22 18:58 foo
bill@bill-desktop:~$ which foo
/opt/pkg/bin/foo
bill@bill-desktop:~$ sudo su
root@bill-desktop:/home/bill# which foo
root@bill-desktop:/home/bill# 

0  

The PATH will be reset when using su or sudo by the definition of ENV_SUPATH, and ENV_PATH defined in /etc/login.defs

通过定义ENV_SUPATH和/etc/login.defs中定义的ENV_PATH,在使用su或sudo时将重置PATH。

0  

$PATH is an environment variable and it means that value of $PATH can differ for another users.

$ PATH是一个环境变量,它意味着$ PATH的值可能因其他用户而异。

When you are doing login into your system then your profile setting decide the value of the $PATH.

当您登录系统时,您的配置文件设置决定$ PATH的值。

Now, lets take a look:-

现在,让我们来看看: -

User       |        Value of $PATH
--------------------------
root                /var/www
user1               /var/www/user1
user2               /var/www/html/private

Suppose that these are the values of $PATH for different user. Now when you are executing any command with sudo then in actual meaning root user executes that command .

假设这些是不同用户的$ PATH的值。现在,当您使用sudo执行任何命令时,实际上root用户执行该命令。

You can confirm by executing these commands on terminal :-

您可以通过在终端上执行这些命令来确认: -

user@localhost$ whoami
username
user@localhost$ sudo whoami
root
user@localhost$ 

This is the reason. I think its clear to you.

这就是原因。我觉得你很清楚。