0

I have circus installed in a python virtualenv using virtualenvwrapper, and I want to run it with sudo. Sounds simple, right? Unfortunately even after reading man sudo and man sudoers, I don't succeed in getting the normal user's PATH to stick after the sudo. Debian 7.8 (Wheezy).

Here's /etc/sudoers:

deploy@devops:~$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
Defaults    !env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
deploy ALL=(ALL) NOPASSWD:ALL

Here's the normal user's PATH:

deploy@devops:~$ echo $PATH
/home/deploy/.nix-profile/bin:/home/deploy/.nix-profile/sbin:/home/deploy/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Now let's activate the virtualenv and verify it's changed PATH:

deploy@devops:~$ workon circus

(circus)deploy@devops:/srv/circus/project$ echo $PATH
/home/deploy/.virtualenvs/circus/bin:/home/deploy/.nix-profile/bin:/home/deploy/.nix-profile/sbin:/home/deploy/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Great. Now let's see what path root gets:

(circus)deploy@devops:/srv/circus/project$ sudo su
root@devops:/srv/circus/project# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

What happened? Why is it using secure_path? I negated env_reset with the exclamation mark. sudo -E exhibits exactly the same behaviour, and if I do export FOO=bar then sudo su and echo $FOO, I do indeed get bar...

Very frustrating, and grateful for any help. Happy to clarify if it's not clear.

antgel
  • 131
  • 7
  • It's a security feature. See `http://unix.stackexchange.com/questions/83191/how-to-make-sudo-preserve-path` for a workaround. – william Aug 12 '15 at 17:40
  • Why do you have secure_path set at all if you don't want it to apply? – Andy Aug 13 '15 at 07:48

1 Answers1

1

Got it, I had already tried sudo env "PATH=$PATH" as mentioned in @william's comment, but embarrassingly I had forgotten to exit the editor from visudo, so I was saving the .tmp file. blush

In short, setting Defaults !env_reset and using sudo env "PATH=$PATH" works well. Thanks for the comments.

antgel
  • 131
  • 7