In short: how to make sudo not to flush PATH everytime?
I have some websites deployed on my server (Debian testing) written with Ruby on Rails. I use Mongrel+Nginx to host them, but there is one problem that comes when I need to restart Mongrel (e.g. after making some changes).
All sites are checked in VCS (git, but it is not important) and have owner and group set to my user, whereas Mongrel runs under the, huh, mongrel user that is severely restricted in it's rights. So Mongrel must be started under root (it can automatically change UID) or mongrel.
To manage mongrel I use mongrel_cluster gem because it allows starting or stopping any amount of Mongrel servers with just one command. But it needs the directory /var/lib/gems/1.8/bin to be in PATH: this is not enough to start it with absolute path.
Modifying PATH in root .bashrc changed nothing, tweaking sudo's env_reset and env_keep didn't either.
So the question: how to add a directory to PATH or keep user's PATH in sudo?
Update: some examples
$ env | grep PATH
PATH=/usr/local/bin:/usr/bin:/bin:/usr/games:/var/lib/gems/1.8/bin
$ sudo cat /etc/sudoers | egrep -v '^$|^#'
Defaults env_keep = "PATH"
root ALL=(ALL) ALL
%sudo ALL=NOPASSWD: ALL
$ sudo env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
Also I can say that it works exactly this way in Debian stable (lenny) too.
Answer
Struggled with the same problem for a few hours. In debian lenny, you can fix it by adding
Defaults exempt_group=
to the sudoers file.
This is the only way to go around the compiled --secure-path option, (as far as I know).
Notably, this will also exempt users from needing to enter their password when they sudo.
No comments:
Post a Comment