You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Commit e0e2445 was very helpful in enabling secure_path by default. It works with no surprises as secure_path remains disabled internally and the user is able to comment out the relevant line in /etc/sudoers to restore the old behavior.
One possible addition would be to provide a ./configure option to specify a different default path. --with-secure-path cannot be used for this as it will also define SECURE_PATH, thus enabling it internally and preventing the user from simply commenting out the line in /etc/sudoers.
I'm looking at it from a packager perspective, trying to use a different path [*] for secure_path without leaving the user to wonder why it remains active even when the line in /etc/sudoers is commented out. I tried to think of a clean way to implement this but in the end I had to patch the configure script to change the default value of secure_path.
My understanding is that --with-secure-path should continue to define SECURE_PATH and thus enabling it internally (in addition to the sudoers file). This is desirable in order to maintain the semantics this option had before sudo 1.9.16. The question then becomes, is there a way to specify a different path while maintaining the ability to comment out the option in sudoers, and have it work the same as when --with-secure-path is not used?
[*] /usr/local/sbin:/usr/local/bin:/usr/bin (default path used in Arch Linux, since /usr/sbin, /sbin, and /bin are all symlinks to /usr/bin)
The text was updated successfully, but these errors were encountered:
We can add a new configure option to just change the default value, but the naming can be confusing. It does appear that some packagers are using --with-secure-path so unfortunately we cannot change the meaning of that option. What do you think of --with-secure-path-value or --with-secure-path-default for the option name? I'm open to better names if you have any ideas.
Commit e0e2445 was very helpful in enabling
secure_path
by default. It works with no surprises assecure_path
remains disabled internally and the user is able to comment out the relevant line in/etc/sudoers
to restore the old behavior.One possible addition would be to provide a
./configure
option to specify a different default path.--with-secure-path
cannot be used for this as it will also defineSECURE_PATH
, thus enabling it internally and preventing the user from simply commenting out the line in/etc/sudoers
.I'm looking at it from a packager perspective, trying to use a different path [*] for
secure_path
without leaving the user to wonder why it remains active even when the line in/etc/sudoers
is commented out. I tried to think of a clean way to implement this but in the end I had to patch the configure script to change the default value ofsecure_path
.My understanding is that
--with-secure-path
should continue to defineSECURE_PATH
and thus enabling it internally (in addition to the sudoers file). This is desirable in order to maintain the semantics this option had before sudo 1.9.16. The question then becomes, is there a way to specify a different path while maintaining the ability to comment out the option in sudoers, and have it work the same as when--with-secure-path
is not used?[*]
/usr/local/sbin:/usr/local/bin:/usr/bin
(default path used in Arch Linux, since/usr/sbin
,/sbin
, and/bin
are all symlinks to/usr/bin
)The text was updated successfully, but these errors were encountered: