How to make `sudo` preserve $PATH?

Question

I have a program that is installed in a custom directory under /opt. To make it easier to run it, I edited my bashrc to add said directory to my path:

export PATH=$PATH:/opt/godi/bin:/opt/godi/sbin

This works fine if I want to run the program without sudo. However, if I try to run it with sudo it fails with a "command not found" error.

$ sudo godi_console
sudo: godi_console: command not found

Inspecting the PATH variable after using sudo reveals that its not including the same PATH I have as a normal user:

$ sudo sh
# echo $PATH                 
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Why is the PATH not the same? Am I doing something wrong? I'm on Debian Jessie, if it makes a difference.

One thing I tried was to invoke /opt/godi/sbin/godi_console directly, passing the absolute path to the executable. Unfortunatelly, that didn't help in this particular case because godi_console itself depends on the PATH being correctly set.

Try sudo -E godi_console. -E means "preserve environment". — D_Bye, Jul 16 '13 at 08:38
@D_Bye, that won't work if secure_path and/or env_reset are configured like is the case in many sudo deployments like on Debian. — Stéphane Chazelas, Jul 16 '13 at 09:09
@StephaneChazelas Thanks for the info - I don't use Debian, so perhaps I should just have kept quiet! — D_Bye, Jul 16 '13 at 10:20
http://stackoverflow.com/questions/257616/sudo-changes-path-why — Ciro Santilli OurBigBook.com, Dec 08 '15 at 16:41
A related question, about su not sudo, is https://unix.stackexchange.com/questions/460478/ . — JdeBP, Mar 10 '19 at 09:51

Stéphane Chazelas · Accepted Answer · 2018-05-09T12:50:48.753

259

You can always do:

sudo env "PATH=$PATH" godi_console

As a security measure on Debian, /etc/sudoers has the secure_path option set to a safe value.

Note that:

sudo "PATH=$PATH" godi_console

Where sudo treats leading arguments containing = characters as environment variable assignments by itself, would also work at running godi_console with your $PATH (as opposed to the secure_path) in its environment, but would not affect sudo's search path for executable, so wouldn't help sudo in finding that godi_console.

edited May 09 '18 at 12:50

answered Jul 16 '13 at 09:12

Stéphane Chazelas

544,893

7

I like this answer best since it avoids need to change settings globally (i.e. preserves principle of least privilege) – Alois Mahdal Mar 11 '15 at 00:31
7

sudo "PATH=$PATH" godi_console did not work in CentOs7 by the way. Needed the env – Hakan Baba Jan 25 '18 at 06:29
1

Is it okay to use sudo env "PATH=$PATH" as an alias for sudo? What kind of problems could this create? – derricw Apr 12 '18 at 16:22
2

@StéphaneChazelas Does sudo "PATH=$PATH" godi_console ever really work? sudo accepts VAR=value arguments, affecting the environment of the command it runs, but unlike in env or bash, sudo doesn't seem to let this affect how it looks up the command. I only tested this (recently) on Ubuntu 16.04. But I tried adding the exempt_group option to sudoers (just for testing--I don't consider this a solution!) and the results were illuminating. Commands of the form PATH="$PATH" sudo some-command started working, but those of the form sudo PATH="$PATH" some-command still did not. – Eliah Kagan Apr 13 '18 at 11:32
@EliahKagan and Hakan, you're right, I've edited the answer. – Stéphane Chazelas Apr 15 '18 at 13:42
2

@ballsatballsdotballs. As that alias should only affect your interactive shells, that should be relatively harmless. – Stéphane Chazelas Apr 15 '18 at 13:43
5

I just create an alias called psudo for these types of cases, where: alias psudo="sudo env "PATH=$PATH"". Then my normal sudo use is unaffected. – mikeTronix May 18 '18 at 18:38

score 64 · Answer 2 · edited Aug 20 '14 at 15:50

64

You can also set the default PATH at /etc/sudoers

edit the file using visudo

and update the line to what ever you wish: Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin

edited Aug 20 '14 at 15:50

ryekayo

4,763

answered Aug 20 '14 at 15:37

Michael Ben-Nes

778
6
7

This is a good way. See also https://superuser.com/questions/927512/how-to-set-path-for-sudo-commands – flow2k Apr 10 '21 at 02:01
At least on a RHEL system this would be better done with a file in /etc/sudoers.d/ adding onto the system default. I assume Debian would be similar. – miken32 Jan 20 '23 at 19:30
e.g. echo 'Defaults secure_path="/sbin:/bin:/usr/sbin:/usr/bin:/my/custom/path"' > /etc/sudoers.d/custom_path – miken32 Jan 20 '23 at 23:12

MAQ · Answer 3 · 2016-01-24T22:07:30.123

29

SUDO is doing env variables reset by default.

Check out its manual and option called env_reset.

You just need to disable it in /etc/sudoers.

edited Jan 24 '16 at 22:07

answered Jul 16 '13 at 18:21

MAQ

980

9

Cool! In Ubuntu you can visudo and comment out the secure_path and env_reset lines. Makes the system considerably less secure, so beware. – RawwrBag Mar 29 '16 at 18:29
Disabling env_reset seems not to affect sudo's behaviour w/r/t PATH. – Zanna Apr 13 '18 at 11:40
1

You have to comment secure_path as well, as mentioned by @RawwrBag – Prateek Joshi Dec 21 '19 at 06:18

SebMa · Answer 4 · 2018-05-28T13:36:42.150

22

This works :

sudo $(which your_command)

Example calling my gps script which lists Nvidia GPU's processes :

$ sudo gps
sudo: gps: command not found
$ sudo $(which gps)
  PID TTY          TIME CMD
 9922 tty7     02:42:47 Xorg

Explanation :

$ set -x;sudo $(which gps);set +x
++ which gps
+ sudo /home/xyztuv/myScripts/shl/gps
  PID TTY          TIME CMD
 9922 tty7     02:42:39 Xorg
+ set +x

edited May 28 '18 at 13:36

answered May 28 '18 at 13:25

SebMa

2,149

3

This is the best answer because it doesn't expose you to other commands on your path being hijacked. All of the other answers here risk running other executables as root. – Jim Hunziker Jan 14 '21 at 14:08
Unless the command you're using calls other commands that it expects to find in $PATH - then you want to be "hijacked", and so the other answers are better. – Dave Morse Jan 18 '22 at 04:11
@DaveMorse Yes, in that sense, my example is not secure but then the question of How to make "sudo" preserve $PATH? is not a secure idea either. – SebMa Jan 18 '22 at 09:16
using absolute path avoid PATH problem. in general purpose a smart move – Kevin Chan Oct 11 '22 at 07:07
I don't know that it's the best answer. It's a good answer. The reason why is some scripts start with something like #!/usr/bin/env python3 and this answer won't help make sure you get the right python3, like for a virtual environment. – keithpjolley Jul 12 '23 at 15:30

score 14 · Answer 5 · answered Nov 09 '18 at 14:09

14

sudo --preserve-env=PATH env [command]

this ovverrides secure_path on my end

answered Nov 09 '18 at 14:09

untore

325

score 2 · Answer 6 · answered Aug 27 '20 at 19:27

Here's what worked for me on Ubuntu.

Put this near the bottom of your ~/.bashrc:

mysudo() {
        cmd=$(which $1)
        shift
        sudo "$cmd" $@
}
alias sudo="mysudo"

Then log out and log back in, or do:

source ~/.bashrc

After that sudo works properly, like it does on other distros such as Debian.

On second thought, this is not supporting sudo's command line switches, so if you need those, you could expand on this and make something a bit more complex to support it.

score 1 · Answer 7 · edited Aug 27 '20 at 20:43

1

Maybe not precisely what OP asks for, but this might help:

sudo -u the_user sh -c 'PATH=$PATH:/opt/godi/bin echo $PATH'

This changes the PATH inside the sudoed command.

edited Aug 27 '20 at 20:43

hugomg

5,747
4
39
54

answered May 06 '18 at 13:45

phil294

905

score 1 · Answer 8 · edited Sep 18 '18 at 13:42

1

This worked:

sudo "PATH=$PATH" [your command]

Do not change $PATH with your path value, you just write it this way

example: $ sudo env "PATH=$PATH" ant -f webAppConfig.xml regenWebAppConf....

edited Sep 18 '18 at 13:42

answered Sep 18 '18 at 13:09

ikch

19

score 0 · Answer 9 · answered May 03 '22 at 10:26

0

Whilst this might not entirely be what op wants, I believe the best option is to call

sudo /opt/godi/sbin/godi_console

That way you are certain you are calling the correct binary, and not one that someone sneaked into your path somewhere.

answered May 03 '22 at 10:26

Jens Timmerman

391

How to make `sudo` preserve $PATH?

9 Answers9

Linked

Related