From 2d22d0dca89235532170bbbb2c6a8f2b7574eda2 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 11 Aug 2014 11:23:16 -0600 Subject: [PATCH] Document the interaction between sudoers environment handling and the pam_env module. --- doc/sudoers.cat | 10 ++++++++++ doc/sudoers.man.in | 23 +++++++++++++++++++++++ doc/sudoers.mdoc.in | 23 +++++++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 330af8587..b59cdcc06 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -148,6 +148,16 @@ DDEESSCCRRIIPPTTIIOONN The list of environment variables that ssuuddoo allows or denies is contained in the output of ``sudo -V'' when run as root. + On systems that support PAM where the ppaamm__eennvv module is enabled for ssuuddoo, + variables in the PAM environment may be merged in to the environment. If + a variable in the PAM environment is already present in the user's + environment, the value will only be overridden if the variable was not + preserved by ssuuddooeerrss.. When _e_n_v___r_e_s_e_t is enabled, variables preserved from + the invoking user's environment by the _e_n_v___k_e_e_p list take precedence over + those in the PAM environment. When _e_n_v___r_e_s_e_t is disabled, variables + present the invoking user's environment take precedence over those in the + PAM environment unless they match a pattern in the _e_n_v___d_e_l_e_t_e list. + Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including ssuuddoo. Depending on the operating system this may diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index d3595b406..4c5cfb3de 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -365,6 +365,29 @@ contained in the output of \(lq\fRsudo -V\fR\(rq when run as root. .PP +On systems that support PAM where the +\fBpam_env\fR +module is enabled for +\fBsudo\fR, +variables in the PAM environment may be merged in to the environment. +If a variable in the PAM environment is already present in the +user's environment, the value will only be overridden if the variable +was not preserved by +\fBsudoers.\fR +When +\fIenv_reset\fR +is enabled, variables preserved from the invoking user's environment +by the +\fIenv_keep\fR +list take precedence over those in the PAM environment. +When +\fIenv_reset\fR +is disabled, variables present the invoking user's environment +take precedence over those in the PAM environment unless they +match a pattern in the +\fIenv_delete\fR +list. +.PP Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 80b041746..ba0bf481e 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -351,6 +351,29 @@ contained in the output of .Dq Li sudo -V when run as root. .Pp +On systems that support PAM where the +.Sy pam_env +module is enabled for +.Nm sudo , +variables in the PAM environment may be merged in to the environment. +If a variable in the PAM environment is already present in the +user's environment, the value will only be overridden if the variable +was not preserved by +.Nm sudoers. +When +.Em env_reset +is enabled, variables preserved from the invoking user's environment +by the +.Em env_keep +list take precedence over those in the PAM environment. +When +.Em env_reset +is disabled, variables present the invoking user's environment +take precedence over those in the PAM environment unless they +match a pattern in the +.Em env_delete +list. +.Pp Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including -- 2.40.0