Document the interaction between sudoers environment handling and

the pam_env module.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 330af85875bc4aab3ca950042a17ad3bd6833048..b59cdcc069bb9208d69da5a2e742330162e9fec3 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -148,6 +148,16 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
      The list of environment variables that s\bsu\bud\bdo\bo allows or denies is contained
      in the output of ``sudo -V'' when run as root.
 
+     On systems that support PAM where the p\bpa\bam\bm_\b_e\ben\bnv\bv module is enabled for s\bsu\bud\bdo\bo,
+     variables in the PAM environment may be merged in to the environment.  If
+     a variable in the PAM environment is already present in the user's
+     environment, the value will only be overridden if the variable was not
+     preserved by s\bsu\bud\bdo\boe\ber\brs\bs.\b. When _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled, variables preserved from
+     the invoking user's environment by the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list take precedence over
+     those in the PAM environment.  When _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled, variables
+     present the invoking user's environment take precedence over those in the
+     PAM environment unless they match a pattern in the _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be list.
+
      Note that the dynamic linker on most operating systems will remove
      variables that can control dynamic linking from the environment of setuid
      executables, including s\bsu\bud\bdo\bo.  Depending on the operating system this may

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index d3595b4063f9faea58693b6d0cac14f74f326199..4c5cfb3deb85d96c62becacb97993c0eb36a5825 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -365,6 +365,29 @@ contained in the output of
 \(lq\fRsudo -V\fR\(rq
 when run as root.
 .PP
+On systems that support PAM where the
+\fBpam_env\fR
+module is enabled for
+\fBsudo\fR,
+variables in the PAM environment may be merged in to the environment.
+If a variable in the PAM environment is already present in the
+user's environment, the value will only be overridden if the variable
+was not preserved by
+\fBsudoers.\fR
+When
+\fIenv_reset\fR
+is enabled, variables preserved from the invoking user's environment
+by the
+\fIenv_keep\fR
+list take precedence over those in the PAM environment.
+When
+\fIenv_reset\fR
+is disabled, variables present the invoking user's environment
+take precedence over those in the PAM environment unless they
+match a pattern in the
+\fIenv_delete\fR
+list.
+.PP
 Note that the dynamic linker on most operating systems will remove
 variables that can control dynamic linking from the environment of
 setuid executables, including

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 80b0417469a33e7e52aca2f8a7797b3c12eaf307..ba0bf481eb0f7c350870663e18906ed2c7ebb4f2 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -351,6 +351,29 @@ contained in the output of
 .Dq Li sudo -V
 when run as root.
 .Pp
+On systems that support PAM where the
+.Sy pam_env
+module is enabled for
+.Nm sudo ,
+variables in the PAM environment may be merged in to the environment.
+If a variable in the PAM environment is already present in the
+user's environment, the value will only be overridden if the variable
+was not preserved by
+.Nm sudoers.
+When
+.Em env_reset
+is enabled, variables preserved from the invoking user's environment
+by the
+.Em env_keep
+list take precedence over those in the PAM environment.
+When
+.Em env_reset
+is disabled, variables present the invoking user's environment
+take precedence over those in the PAM environment unless they
+match a pattern in the
+.Em env_delete
+list.
+.Pp
 Note that the dynamic linker on most operating systems will remove
 variables that can control dynamic linking from the environment of
 setuid executables, including