Strange PATH when use sudoers via ldap

Question

I have a working LDAP authentication environment. LDAP server is on ubuntu 12.04 machine while client are all centos 6.4 machines. Recently I configure sudoers in LDAP following this article http://www.malaya-digital.org/configure-ldap-for-sudo-support-in-ubuntu-server-11-04-64-bit/

Everything works fine except that the PATH is strange when using sudo to execute command.

Here are the PATH of sudo

# sudo printenv PATH
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

It seems that every commands listed in the PATH shown above can be executed, except which in /bin . For example

# sudo which node
/usr/local/bin/node

# sudo which zip
/usr/bin/zip

# sudo which ip
/sbin/ip

# sudo which ls
which: no ls in ("/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin") #WTF??

# sudo ls /
sudo: ls: command not found

However, when using full path to execute command in /bin, it works.

# sudo /bin/ls /
bin  boot  dev  etc  home  lib  lib64  lost+found  media  mnt  NFS  opt  proc  root  sbin  selinux  srv  sys  tmp  usr  var

I have read Problems with sudo in path and Troubleshooting sudoers via ldap, but find no clue of what's wrong.

The LDAP entry with PATH setting is as follow:

dn: cn=defaults,ou=SUDOers,dc=example.dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOrder: 1
sudoOption: env_reset
sudoOption: secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Related: [Why are PATH variables different when running via sudo and su?](http://unix.stackexchange.com/q/8646/21471) at Unix — kenorb, Dec 24 '15 at 17:46

nickie · Accepted Answer · 2015-07-13T23:43:48.567

I came to the same problem today and I believe that the solution is simply to remove the double quotes from the secure_path option:

dn: cn=defaults,ou=SUDOers,dc=example.dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOrder: 1
sudoOption: env_reset
sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

By surrounding it by quotes, as you can see in the result of sudo printenv PATH, the PATH contains the quotes themselves. This seems to correspond to one funny long path, in which directory names contain colons --- not what you want...

Your answer seems to circumvent the problem, probably because the colon at the end has the special meaning of appending some default path. Try sudo printenv PATH to see what's going on --- it did not work in my case.

With the LDIF that I propose above, what you get is the right PATH:

$ sudo printenv PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

I've run into this problem as well today - this fixed it! Thanks! +1 — gxx, Oct 12 '16 at 13:21

score 2 · Answer 2 · answered Dec 27 '13 at 11:27

2

I found the solution myself, though I do not know exact why.

It is quite simple, add ":" to the end of the secure_path in LDAP entry fixed all the problem.

secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:"

answered Dec 27 '13 at 11:27

user1817188

183
1
8

I believe that this answer does not work properly. The colon at the end may be appending the default path. I tried it and could not execute anything in `/usr/local/sbin`, which apparently is not in the default path. – nickie Jul 13 '15 at 23:32
What @nickie said. You might want to change the accepted answer accordingly. – gxx Oct 12 '16 at 13:22

Strange PATH when use sudoers via ldap

2 Answers2