12

I’m experiencing a strange behavior related to environment variable preservation with sudo on macOS(15.2): sudo -E doesn't preserve the environment variable PERL5LIB.

Reproduction Steps

  1. Set an environment variable in the shell: export PERL5LIB=foo . The command env | grep PERL5LIB outputs as expected: PERL5LIB=foo .

  2. However, the command sudo -E env | grep PERL5LIB , returns nothing. In contrast, this works: sudo --preserve-env=PERL5LIB env | grep PERL5LIB . It successfully preserves PERL5LIB.

This is confusing because I expected sudo -E to preserve all environment variables from the invoking shell, including PERL5LIB. But clearly, it’s not working that way for this particular variable.

Question

  • Why is PERL5LIB not preserved by sudo -E on macOS?
  • Is this behavior specific to PERL5LIB, or does it affect other variables as well?
  • What is the recommended, reliable way to ensure that PERL5LIB is preserved when using sudo?
Improve this question
6
  • 2
    That second point should be trivial to test on your own system. Commented Apr 13 at 12:12
  • Does /etc/sudoers, or any files in /etc/sudoers.d, contain a env_delete+=PERL5LIB statement? I don't use macOS to confirm, but the answers in How can I keep all environment vars for a specific command in sudo? might help. Commented Apr 13 at 12:13
  • 1
    See output of sudo sudo -V Commented Apr 13 at 14:23
  • @ChesterGillon No, there’s nothing Perl-related in /etc/sudoers. The only file under /etc/sudoers.d is amphetamine_PowerProtect, which has nothing to do with sudo command. However, as @StéphaneChazelas pointed out, running sudo sudo -V reveals a list of environment variables to remove, and PERL5LIB is included in that list. Commented Apr 13 at 14:53
  • 1
    @muru You’re absolutely right — I should’ve phrased that more carefully. What I meant is: while amphetamine_PowerProtect under /etc/sudoers.d is indeed part of the sudo configuration, it only configures passwordless access for a couple of specific commands. It doesn’t affect the general behavior of sudo itself, such as how environment variables are handled — which is the focus of my question. Commented Apr 13 at 17:00

1 Answer 1

Reset to default
17

Variables matched by the env_delete list are removed from the environment with sudo -E a.k.a. sudo --preserve-env. Passing the variable to --preserve-env= re-adds it with its original value, which effectively negates its presence in the env_delete list.  (When --preserve-env is not in effect, the env_delete list does not apply, but environment variables are removed unless they are in the env_keep list, with a few additional conditions.)

The default list of “bad” environment variables includes PATH-like settings for various scripting languages, including PERL5LIB for Perl, PYTHONPATH for Python, RUBYLIB for Ruby, etc.  (But not PATH itself, which is handled specially.)

That list is OS-specific and can be obtained by running sudo -V as root. Quoting the sudoers(5) man page:

The complete list of environment variables that are preserved or removed, as modified by global Defaults parameters in sudoers, is displayed when sudo is run by root with the -V option. The list of environment variables to remove varies based on the operating system sudo is running on.

Use sudo --preserve-env=PERL5LIB if you specifically want to preserve PERL5LIB. You can change the env_delete option on a rule-by-rule basis in the sudoers file. If you add a specific rule, keep in mind that the last match applies, so put it after the generic rule for I-can-become-root, if that's relevant.

Improve this answer
1
  • 6
    It may be worth spelling out why this is. Someone who can control PERL5LIB has effectively total control over the behavior of any Perl program you run. (Similarly for PYTHONPATH, RUBYLIB, etc.) If you ran a Perl script using sudo, not noticing that PERL5LIB was set, this would most likely allow arbitrary code execution as root, by whatever set PERL5LIB. Commented Apr 14 at 3:32

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.