ENV['someapp']" is nil when the code is run with "sudo"

Hi,

Some very weird behavior is happening with Ruby when I run the code with
“sudo” command.

Let’s say I have the following code in “myex.rb” source file:

if ENV[“CUBRID”]
puts “ENV[CUBRID] is: ‘#{ENV[“CUBRID”]}’”
else
puts “$CUBRID_BROKER is not defined. Possibly you have not installed
CUBRID Database yet.”
end

I have installed the CUBRID Database, and when I run the code by typing
“ruby myex.rb” I correctly receive the path where CUBRID has been
installed.

ENV[CUBRID] is: ‘/home/esen/programfiles/CUBRID’

However, when I run this code with “sudo” at the beginning like “sudo
ruby myex.rb”, the “ENV[‘CUBRID’]” is actually nil, thus, returns the
second string in the else block.

Can anyone explain why “sudo” neglects all ENVironmental variables?

Esen S. wrote:

Can anyone explain why “sudo” neglects all ENVironmental variables?

See “man sudoers”:

   env_reset       If set, sudo will reset the environment to only 

contain
the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
variables. Any variables in the caller’s
environment
that match the env_keep and env_check lists are
then
added. The default contents of the env_keep and
env_check lists are displayed when sudo is run by
root
with the -V option. If the secure_path option is
set,
its value will be used for the PATH environment
variable. This flag is on by default.

Thank you very much Brian for your assistance!

I have read the manual and see that env_reset is set to ON by default,
which means all users who will download my gem and try to install will
not succeed.

Is there anything you could suggest me to solve this problem?

The other thing is I have seen so many gem which have their main
extconf.rb Ruby code which request ENV[’…’] variables like PATH, and
others. How do they get the variables if sudo resets them by default?

Any help is greatly appreciated.

Esen.

Esen S. wrote:

I have read the manual and see that env_reset is set to ON by default,
which means all users who will download my gem and try to install will
not succeed.

Is there anything you could suggest me to solve this problem?

Sure: you can configure sudo to keep specific environment variables,
when running specific commands. Since you are allowing your users to run
code as root, then you need to be very sure that they cannot abuse these
environment variables to escalate privileges further.

If the specific problem is with installing a gem, and you don’t want
people to have to tweak their sudoers files, then I think you’d be
better off asking on a gem-specific mailing list. I don’t know if you
can control which parts of the installation are run under sudo, and
which are not.

The other thing is I have seen so many gem which have their main
extconf.rb Ruby code which request ENV[’…’] variables like PATH, and
others. How do they get the variables if sudo resets them by default?

sudo resets PATH to a safe value. It is very easy to escalate privileges
if you can set PATH to a chosen value whilst running a suid root
application. It’s the same reason why other environment variables are
cleared; if you’re using sudo to run an app which wasn’t intended to be
run by an untrusted user, it’s too easy to abuse if the user can set
arbitrary environment variables.

On Aug 3, 2010, at 19:52 , Esen S. wrote:

I have solved it for my personal case with -E flag after sudo like “sudo
-E gem install cubrid”. But anyway, this is not something I want,
because I do not want the global users of my gem to type this -E flag
all the time the need to install my gem.

Why does your gem install require environment variables?

Ryan D. wrote:

Why does your gem install require environment variables?

I have to find the location where the CUBRID Database Server (or any
other software) has been installed to located the libraries required to
compile the gem. This is something most gems need to know, so does mine.

I have solved it for my personal case with -E flag after sudo like “sudo
-E gem install cubrid”. But anyway, this is not something I want,
because I do not want the global users of my gem to type this -E flag
all the time the need to install my gem.

I looked at other gems how they solve this problem, as I can install
them without -E. For instance, I have attached the sample code found in
mysql’s extconf.rb file, which somehow deals with this problem as it
also extracts ENV[‘PATH’] variable, just like me. But when installing
mysql, I do not need to type -E.

I saw in mysql’s code it adds the -E flag to the cpp_command and prints
it out to the “system”, but somehow I cannot replicate it.

I have posted in the RubyGem Help
(http://help.rubygems.org/discussions/problems/256-gem-install-mygem-does-not-install-the-gem),
haven’t still found the solution.

Anyway, thank you Brian. If you think you can have time to look at that
pure Ruby code to see how does it add that -E flag runtime, it would
help me a lot.

Have a good day!

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs