[sf-lug] sudo

[Alex Kleider]

Thanks, Michael, for your further input.  I've spent some time trying to 
understand.
The following is what I've been using to test:
(It seems to make no difference if I source or run as executable:
i.e.
source t.sh
or
./source t.sh
I expect the latter would not work if the export statement hadn't been 
included but haven't tested for that.)

"""
#!/bin/bash

# File: t.sh

export ap_ip=10.10.10.10

sudo -E sh -c 'echo "$ap_ip  library library.lan rachel rachel.lan" >> 
/etc/hosts'
# the above command works and seems to me to be the correct way to go.

sudo sh -c "echo $ap_ip  library library.lan rachel rachel.lan >> 
/etc/hosts"
# The above also works (i.e. the var gets included in the appended
# line. The question now is 'why does this work but the next doesn't.

sudo sh -c 'echo "$ap_ip  library library.lan rachel rachel.lan" >> 
/etc/hosts'
# the above command executes without error but the var is NOT included
# in the appended line.

sudo echo "$ap_ip  library library.lan rachel rachel.lan" >> /etc/hosts
# the above command fails with "Permission denied" notice.

"""
 From what you've written I would have expected that only the first 
version would succeed but in fact the second one does as well.



>> I'm not sure why the export doesn't pass ap_ip through to the su
>> shell. Seems like that should work, but you're right, it doesn't.
> 
> Because, security, "of course".  :-)
> 
> sudoers(5) ...
>    Command environment
>      Since environment variables can influence program behavior, 
> sudoers pro-
>      vides a means to restrict which variables from the user's 
> environment are
>      inherited by the command to be run.  There are two distinct ways 
> sudoers
>      can deal with environment variables.
>      By default, the env_reset option is enabled.  This causes commands 
> to be
>      executed with a new, minimal environment. ...