Remove ENV environment variable from badenv table

sudo-project / sudo

Utility to execute a command as another user

https://www.sudo.ws

Other

1.16k stars 208 forks source link

Remove ENV environment variable from badenv table #267

Open Conobi opened 1 year ago

Conobi commented 1 year ago

The ENV variable was banned and not usable with sudo -E. It doesn't serve any appropriate safety measure anymore, and by default (without --preserve-env=ENV) it can leads to issues passing the ENV variable, which is used in many CI/CD procedures to separate development/staging/production environments.

millert commented 1 year ago

Are you disabling env_reset in sudoers? If so, can't you just remove ENV from the env_delete list? If not I don't see why this would be a problem.

Conobi commented 1 year ago

Are you disabling env_reset in sudoers? If so, can't you just remove ENV from the env_delete list? If not I don't see why this would be a problem.

No, I keep the env_reset enabled by default in my sudoers. This problem happens when doing this:

$ FOO=production sudo -E env | grep "FOO"
FOO=production
$ ENV=production sudo -E env | grep "ENV"
# Returns nothing, because of the obsolete rule
$ ENV=production sudo -E --preserve-env=ENV env | grep "ENV"
ENV=production
# Returns the specified value, but a bit hacky and not documented

millert commented 1 year ago

If you need ENV to be preserved for "sudo -E" you can use a line like the following in sudoers:

Defaults env_delete -= ENV

Since setting ENV allows arbitrary commands to be run outside of sudo control I'm not convinced that it should be removed from the env_delete list.