sudo, Ubuntu, and the PATH environment variable – a love story (of sorts)

I just started setting up a Ubuntu Karmic Koala (9.10) server in the cloud, and I became very frustrated very quickly about the default behavior that is compiled into sudo. Since there is not much info laying around the net on how to solve this problem, I thought I would throw this post together. So if the big search engine in the sky brought you my way, then I hope this helps you.

Sudo on Ubuntu Karmic has been compiled with the –with-secure-path option. This causes sudo to ignore any changes to the path environment variable. And I do mean any changes. Changing the path in the user’s environment ala PATH=$PATH:/opt/other-bin sudo gem will not work. Neither will modifying the path variable in the /etc/environment file. And don’t try to modify the PATH in /etc/profile or /root/.profile or /root/.bashrc because none of those will work either.

If you want to see the path that sudo is using then take a peek at /usr/share/doc/sudo/OPTIONS. There you will see the exact path that was compiled into the sudo command.

This “secure path” can be modified. But before I tell you how, I should insert a word of caution. My research indicated that this was done for your protection. As with many things that are done for your protection, it is annoying as hell. But it evidently makes it harder for trojans to run commands as root. So make sure that you think twice before making changes to the “secure path” that sudo uses when it runs.

Thanks for patiently reading the disclaimer. Now for the juicy details. To modify sudo’s “secure path” you just need to add a line to the /etc/sudoers file. This file is best modified using the visudo command. So fire up visudo and add the following line.


  Defaults        secure_path=<your new path>

I highly recommend that you start with the value that sudo was compiled with and then append to it.

I hope that helps you.

It would have been really nice if this was documented better somewhere. I was only able to piece this solution together after reading a lot of confusing forum posts and after several head-scratching reads of the sudo man page.

Tags:

4 Responses to “sudo, Ubuntu, and the PATH environment variable – a love story (of sorts)”

  1. Caleb Land says:

    Thanks!

    I have been butting my head against this issue for a while, but everything I read suggested that it wasn’t possible to override it in /etc/sudoers, but apparently you can now! Huzzah.

    I never understood the for your own protection thing, because you can easily get around this by running:

    sudo env PATH=$PATH command

    It just made it more annoying.

  2. Dartagnan says:

    Mega-thanks!

    I spent several hours modifying an existing image on Amazon AWS to get everything I wanted on it. Then I thought I was going to have to abandon the effort because I could not run EC2 tools as sudo.

    Fortunately I did not quit before I found your post! Thanks again for putting this out there.

  3. vaderpi says:

    @Dartagnan

    I’m glad I could help. I’m amazed by how many times I still get bit by this issue. I’ve gotten in the habit of using Google to find my own post when I forget the exact details. :)

  4. CaptainRewind says:

    Nice find, thanks for the post!

Leave a Reply