sudoers, add ENV to env_keep?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

sudoers, add ENV to env_keep?

Stuart Henderson
sudo doesn't preserve ENV by default, so any shell settings (e.g.
set -o emacs) you might have in your ${ENV} file don't take effect.

for people who like EDITOR=vi but also like "set -o emacs" in the
shell, this is really annoying; EDITOR/VISUAL are preserved, so the
(imo horrible) /bin/ksh "feature" of changing line editing mode
depending on setting of these variables takes priority.

I'm not entirely convinced it's safe to add ENV to env_keep by
default but the only other workaround I've found (i.e. ln -s
/usr/bin/{vi,not_emacs} and setting VISUAL=/usr/bin/not_emacs)
is messy and annoying to do on multiple machines.

anyone have other ideas or comments?

Reply | Threaded
Open this post in threaded view
|

Re: sudoers, add ENV to env_keep?

Claudio Jeker
On Fri, May 06, 2011 at 11:37:53AM +0100, Stuart Henderson wrote:

> sudo doesn't preserve ENV by default, so any shell settings (e.g.
> set -o emacs) you might have in your ${ENV} file don't take effect.
>
> for people who like EDITOR=vi but also like "set -o emacs" in the
> shell, this is really annoying; EDITOR/VISUAL are preserved, so the
> (imo horrible) /bin/ksh "feature" of changing line editing mode
> depending on setting of these variables takes priority.
>
> I'm not entirely convinced it's safe to add ENV to env_keep by
> default but the only other workaround I've found (i.e. ln -s
> /usr/bin/{vi,not_emacs} and setting VISUAL=/usr/bin/not_emacs)
> is messy and annoying to do on multiple machines.
>
> anyone have other ideas or comments?

I'm all for killing the ksh autoswitch feature. Whenever I end up on a
system with EDITOR set to vi and ksh as shell I'm lost. If people like to
use a specific mode they should add it to .profile.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: sudoers, add ENV to env_keep?

Owain Ainsworth-2
On Fri, May 06, 2011 at 12:46:40PM +0200, Claudio Jeker wrote:

> On Fri, May 06, 2011 at 11:37:53AM +0100, Stuart Henderson wrote:
> > sudo doesn't preserve ENV by default, so any shell settings (e.g.
> > set -o emacs) you might have in your ${ENV} file don't take effect.
> >
> > for people who like EDITOR=vi but also like "set -o emacs" in the
> > shell, this is really annoying; EDITOR/VISUAL are preserved, so the
> > (imo horrible) /bin/ksh "feature" of changing line editing mode
> > depending on setting of these variables takes priority.
> >
> > I'm not entirely convinced it's safe to add ENV to env_keep by
> > default but the only other workaround I've found (i.e. ln -s
> > /usr/bin/{vi,not_emacs} and setting VISUAL=/usr/bin/not_emacs)
> > is messy and annoying to do on multiple machines.
> >
> > anyone have other ideas or comments?
>
> I'm all for killing the ksh autoswitch feature. Whenever I end up on a
> system with EDITOR set to vi and ksh as shell I'm lost. If people like to
> use a specific mode they should add it to .profile.

I would somehow cope if it was removed, but I really like that feature
(which got added to tmux, too).

-0-
--
What this country needs is a good five cent ANYTHING!

Reply | Threaded
Open this post in threaded view
|

Re: sudoers, add ENV to env_keep?

Todd C. Miller
In reply to this post by Stuart Henderson
On Fri, 06 May 2011 11:37:53 BST, Stuart Henderson wrote:

> I'm not entirely convinced it's safe to add ENV to env_keep by
> default but the only other workaround I've found (i.e. ln -s
> /usr/bin/{vi,not_emacs} and setting VISUAL=/usr/bin/not_emacs)
> is messy and annoying to do on multiple machines.

It most certainly is not safe as it allows one to run arbitrary
commands.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: sudoers, add ENV to env_keep?

Stuart Henderson
On 2011/05/06 08:49, Todd C. Miller wrote:
> On Fri, 06 May 2011 11:37:53 BST, Stuart Henderson wrote:
>
> > I'm not entirely convinced it's safe to add ENV to env_keep by
> > default but the only other workaround I've found (i.e. ln -s
> > /usr/bin/{vi,not_emacs} and setting VISUAL=/usr/bin/not_emacs)
> > is messy and annoying to do on multiple machines.
>
> It most certainly is not safe as it allows one to run arbitrary
> commands.

If you have something which handles ENV (i.e. an interactive shell),
isn't it already the case that you can run arbitrary commands?

Reply | Threaded
Open this post in threaded view
|

Re: sudoers, add ENV to env_keep?

Todd C. Miller
On Fri, 06 May 2011 14:22:05 BST, Stuart Henderson wrote:

> If you have something which handles ENV (i.e. an interactive shell),
> isn't it already the case that you can run arbitrary commands?

I suppose it is not as bad as BASH_ENV (which is used for non-interactive
shells).  I'm still not comfortable adding this to env_keep, it has
been on the environment variable blacklist since 1996.  The shell
itself ignores ENV when it is run setuid, which is similar to running
the shell via sudo.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: sudoers, add ENV to env_keep?

Bob Beck-4
In reply to this post by Claudio Jeker
> I'm all for killing the ksh autoswitch feature. Whenever I end up on a
> system with EDITOR set to vi and ksh as shell I'm lost. If people like to
> use a specific mode they should add it to .profile.
>

I'm not, I use ksh and like the fact that it makes my history
keystrokes appropriate
for my editor.

Of course, I use emacs ;)

If you're gonna use vi, drink the whole koolaid ;)