Preserving Environment Variables When Using sudo: Methods and Configuration

Environment Variables and sudo Security Mechanisms

In Linux systems, environment variables are crucial components of process execution environments, defining the runtime context for applications. However, when using sudo commands to elevate privileges, the system resets most environment variables for security reasons, which may cause commands relying on specific environment variables to malfunction.

Taking HTTP proxy settings as an example, after a user sets the HTTP_PROXY environment variable, the wget command works normally under regular user privileges, but when using sudo wget, the command fails to recognize proxy settings due to environment variable reset. This behavior fundamentally stems from sudo's security policy design.

sudo Environment Variable Handling Mechanism

By default, sudo performs environment reset operations, retaining only a minimal set of secure environment variables. This behavior is controlled by the env_reset option, which is enabled by default in most Linux distributions. The reset environment includes only basic system variables like TERM, PATH, etc., while user-defined environment variables are cleared.

sudo's environment handling mechanism operates at multiple levels: first executing env_reset to reset the environment, then preserving specified variables according to env_keep configuration, and finally adding sudo-specific environment variables such as SUDO_USER, SUDO_UID. This layered approach ensures a balance between security and flexibility.

Configuring Environment Variable Preservation via sudoers File

The most stable and recommended approach involves modifying the /etc/sudoers file to configure which environment variables to preserve. This method provides system-level configuration that applies to all sudo sessions.

The configuration process begins by safely editing the sudoers file using the sudo visudo command:

sudo visudo

Add environment variable preservation configuration to the file. For proxy-related variables, configure as follows:

Defaults env_keep += "http_proxy"
Defaults env_keep += "https_proxy"
Defaults env_keep += "HTTP_PROXY"
Defaults env_keep += "HTTPS_PROXY"
Defaults env_keep += "ftp_proxy"
Defaults env_keep += "no_proxy"

In some Linux distributions like Ubuntu 14, each variable must be configured on a separate line, as multi-variable configurations may generate syntax errors. Once configured, these environment variables will be automatically preserved in all sudo sessions.

Temporary Solution: Using the -E Flag

For temporary needs, sudo's -E or --preserve-env flag can be used to preserve current environment variables:

export HTTP_PROXY=http://proxy.example.com:8080
sudo -E wget http://example.com/file

This method preserves all environment variables, but security implications must be considered. Certain environment variables may contain sensitive information or pose security risks in privileged contexts.

Specific variables can also be selectively preserved:

sudo --preserve-env=HTTP_PROXY,HTTPS_PROXY wget http://example.com/file

Configuration Details and Best Practices

In sudoers configuration, the env_keep parameter accepts space-separated variable name lists. Variable names support wildcard matching, for example env_keep += "*_PROXY" can match all variables ending with _PROXY.

Security considerations are paramount when configuring environment variable preservation. Variables that could be maliciously exploited, such as LD_PRELOAD, PYTHONPATH, should be avoided. For proxy variables, since they are primarily used for network connection configuration, the relative risk is lower.

Another important configuration option is secure_path, which defines the secure PATH value used in sudo sessions:

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

This configuration prevents PATH manipulation attacks, ensuring sudo only executes commands from trusted directories.

Practical Application Examples

Consider a complete proxy configuration scenario where users need to maintain proxy settings while using sudo, while ensuring the security of other environment variables:

# Set environment variables
export HTTP_PROXY=http://corporate-proxy:3128
export HTTPS_PROXY=http://corporate-proxy:3128
export no_proxy=localhost,127.0.0.1,.internal.example.com

# Configure sudoers to preserve proxy variables
sudo visudo
# Add the following content:
Defaults env_keep += "HTTP_PROXY"
Defaults env_keep += "HTTPS_PROXY"
Defaults env_keep += "no_proxy"

After the configuration takes effect, all sudo commands will automatically inherit proxy settings without requiring additional -E flags.

Troubleshooting and Verification

Methods to verify whether environment variables are correctly preserved include:

# Check individual variables
sudo bash -c 'echo $HTTP_PROXY'

# Compare complete environment differences
sudo bash -c 'env | grep -i proxy'

# Comprehensive check using env command
sudo env

If configurations don't take effect, first check if the sudoers file syntax is correct:

sudo visudo -c

Common configuration errors include syntax errors, permission issues, or variable name spelling mistakes.

Security Considerations and Risk Mitigation

While environment variable preservation provides convenience, security implications must be carefully considered. Preserving too many environment variables may bypass sudo's security mechanisms. It's recommended to follow the principle of least privilege, preserving only necessary variables.

For production environments, you should:

• Regularly audit the list of preserved environment variables
• Avoid preserving variables that may contain sensitive information
• Use application-specific configurations rather than environment variables for storing sensitive data
• Consider using the env_file option to load environment variables from protected files

Through reasonable configuration and continuous security assessment, an appropriate balance between convenience and security can be achieved.