|
| 1 | +This internal document describes ogsudo behavior that's not documented in its man pages. |
| 2 | + |
| 3 | +Where possible, this document is formatted as a list of "diffs" on top of version 1.9.5 of the man pages. |
| 4 | + |
| 5 | +# [`man sudo`](https://www.sudo.ws/docs/man/1.9.5/sudo.man/) |
| 6 | + |
| 7 | +## [`-D` *directory*, `--chdir` *directory*](https://www.sudo.ws/docs/man/1.9.5/sudo.man/#D) |
| 8 | + |
| 9 | +The `--chdir` flag is ignored if its value matches the current working directory. |
| 10 | +This applies regardless of what the `CWD` policy in the sudoers file specifies for the invoking user. |
| 11 | +That is, `sudo --chdir=$(pwd) true` is equivalent to `sudo true`. |
| 12 | + |
| 13 | +## [Environment](https://www.sudo.ws/docs/man/1.9.5/sudo.man/#ENVIRONMENT) |
| 14 | + |
| 15 | +### [`SUDO_PS1`](https://www.sudo.ws/docs/man/1.9.5/sudo.man/#SUDO_PS1) |
| 16 | + |
| 17 | +The `SUDO_PS1` mechanism has precedence over the `env_keep` and `env_check` mechanisms. |
| 18 | +If `PS1` is in either of those lists and `PS1` and `SUDO_PS1` are both set in the invoking sure environment, |
| 19 | +then `PS1` will be set to the value of `SUDO_PS1`. |
| 20 | +In other words: given `Defaults env_keep = PS1`, `env PS1=a SUDO_PS1=b sudo printenv PS1` prints `b`. |
| 21 | + |
| 22 | +## Miscellaneous |
| 23 | + |
| 24 | +This section contains information that can't be placed in any of the existing man page sections. |
| 25 | + |
| 26 | +### Command-Line Interface |
| 27 | + |
| 28 | +In the case of short flags that accept a value, the space between the flag and the value is not required. |
| 29 | +That is, `sudo -u root true` and `sudo -uroot true` are equivalent. |
| 30 | + |
| 31 | +# [`man sudoers`](https://www.sudo.ws/docs/man/1.9.5/sudoers.man/) |
| 32 | + |
| 33 | +## [Sudoers file format](https://www.sudo.ws/docs/man/1.9.5/sudoers.man/#SUDOERS_FILE_FORMAT) |
| 34 | + |
| 35 | +### [Aliases](https://www.sudo.ws/docs/man/1.9.5/sudoers.man/#Aliases) |
| 36 | + |
| 37 | +The manual states that the allowed syntax for aliases is: |
| 38 | + |
| 39 | +> `NAME ::= A-Z*` |
| 40 | +
|
| 41 | +but that is incorrect; the allowed syntax is actually: `NAME ::= [A-Z]([A-Z][0-9]_)*`. |
| 42 | +That is, aliases can contain digits and underscores but must start with an uppercase letter. |
| 43 | + |
| 44 | +## [Command environment](https://www.sudo.ws/docs/man/1.9.5/sudoers.man/#Command_environment) |
| 45 | + |
| 46 | +### `VARIABLE=value` matching |
| 47 | + |
| 48 | +The manual says: |
| 49 | + |
| 50 | +> By default, environment variables are matched by name. However, if the pattern includes an equal |
| 51 | +> sign (`=`), both the variables name and value must match |
| 52 | +
|
| 53 | +but does not mention that the equal sign can only be used when surrounded by double quotes. |
| 54 | +That is, `Defaults env_check = "VARIABLE=value"` is correct syntax. |
| 55 | +Whereas, `Defaults env_check = VARIABLE=value` is invalid syntax. |
| 56 | + |
| 57 | +### `SUDO_PS1` |
| 58 | + |
| 59 | +The manual says: |
| 60 | + |
| 61 | +> Environment variables with a value beginning with `()` are removed unless both the name and value |
| 62 | +> parts are matched by `env_keep` or `env_check`, as they may be interpreted as functions by the |
| 63 | +> bash shell |
| 64 | +
|
| 65 | +This does not affect the operation of the `SUDO_PS1` environment variable. |
| 66 | +That is, `SUDO_PS1="() abc" sudo printenv PS1` prints `() abc` |
| 67 | + |
| 68 | +## [Sudoers options](https://www.sudo.ws/docs/man/1.9.5/sudoers.man/#SUDOERS_OPTIONS) |
| 69 | + |
| 70 | +### `env_keep` |
| 71 | + |
| 72 | +The `env_keep` list is not empty by default and contains the following environment variables by name: |
| 73 | + |
| 74 | +- `DISPLAY` |
| 75 | +- `PATH` |
| 76 | + |
| 77 | +These variables can be removed from the list using either the override (`=`) or remove (`-=`) operators. |
| 78 | + |
| 79 | +### `env_check` |
| 80 | + |
| 81 | +The `env_check` list is not empty by default and contains the following environment variables by name: |
| 82 | + |
| 83 | +- `TERM` |
| 84 | +- `TZ` |
| 85 | + |
| 86 | +These variables can be removed from the list using either the override (`=`) or remove (`-=`) operators. |
| 87 | + |
| 88 | +### Applies to both `env_keep` and `env_checek` |
| 89 | + |
| 90 | +#### `!` clears the list |
| 91 | + |
| 92 | +The manual says that the `!` operator "disables" the list but it would be more accurate to say that it *clears* the list. |
| 93 | +After clearing the list with `Defaults !env_keep` (`Defaults !env_check`), it's possible to override its contents and/or add items to it. |
| 94 | + |
| 95 | +#### Error handling |
| 96 | + |
| 97 | +The manual says that the `env_keep` (`env_check`) accepts a list of space-separated variables but does not mention how errors within the list are handled. |
| 98 | +sudo skips / ignores malformed items and updates the list using only the well-formed items. |
| 99 | +That is, given `Defaults env_keep += "A.* VARIABLE"` sudo adds `VARIABLE` to the `env_keep` list. |
| 100 | + |
| 101 | +#### `SUDO_` variables |
| 102 | + |
| 103 | +This is not explicit in the manual: it's not possible to preserve the following variables from the invoking user's environment as they'll be set by sudo. |
| 104 | + |
| 105 | +- `SUDO_COMMAND` |
| 106 | +- `SUDO_GID` |
| 107 | +- `SUDO_UID` |
| 108 | +- `SUDO_USER` |
0 commit comments