squell
commented
3 days ago This is related to #760, since the SETENV and NOSETENV option modulate this feature (ALL has an implicit SETENV, for instance). But it can be implemented separately.
Open squell opened 3 days ago
squell
commented
3 days ago This is related to #760, since the SETENV and NOSETENV option modulate this feature (ALL has an implicit SETENV, for instance). But it can be implemented separately.
These are currently supported by the CLI parser, but ignored.
We had discussed what the potential use case for these are (since you can usually set environment variables when becoming root). But it's clear that sudo also does some environment filtering on the variables passed using
sudo env-varin line with the security configuration.We often fall into this trap that 'sudo = run0', i.e. it's always the nuclear "become root" option. For systems that offer "limited privilege escalation" (that both sudo and doas support), env var filtering does offer a controlled way to allow users to set things in the execution environment that they might need to.