added option to pass environment variables over sudo

author Lukas Schauer <lukas@schauer.dev>

Sun, 4 Aug 2024 10:04:56 +0000 (12:04 +0200)

committer Lukas Schauer <lukas@schauer.dev>

Sun, 4 Aug 2024 10:07:34 +0000 (12:07 +0200)
author Lukas Schauer <lukas@schauer.dev>
Sun, 4 Aug 2024 10:04:56 +0000 (12:04 +0200)
committer Lukas Schauer <lukas@schauer.dev>
Sun, 4 Aug 2024 10:07:34 +0000 (12:07 +0200)
diff --git a/CHANGELOG b/CHANGELOG

index 47092e14f51ef7dc57d08a29c0340bafc4c4a087..91ce851a692903764145a44aa5f0db362c2959ee 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,7 +2,8 @@
  This file contains a log of major changes in dehydrated
  
  ## [x.x.x] - xxxx-xx-xx
-...
+## Added
+- New config variable `DEHYDRATED_SUDO_ENV` to allow passing environment variables over sudo calls
  
  ## [0.7.1] - 2022-10-31
  ## Changed
diff --git a/dehydrated b/dehydrated

index a15fb048fc4d10910629f06b787b6f5a7aa78d74..a46ae17e8648f7b32eb37194d6eba91e96727962 100755 (executable)
--- a/dehydrated
+++ b/dehydrated
@@ -390,6 +390,7 @@ load_config() {
    AUTO_CLEANUP="no"
    DEHYDRATED_USER=
    DEHYDRATED_GROUP=
+  DEHYDRATED_SUDO_ENV="no"
    API="auto"
  
    if [[ -z "${CONFIG:-}" ]]; then
@@ -442,7 +443,11 @@ load_config() {
      if [[ -z "${DEHYDRATED_GROUP}" ]]; then
        if [[ "${EUID}" != "${TARGET_UID}" ]]; then
          echo "# INFO: Running $0 as ${DEHYDRATED_USER}"
-        has_sudo && exec sudo -u "${DEHYDRATED_USER}" "${0}" "${ORIGARGS[@]}"
+        if [ "${DEHYDRATED_SUDO_ENV}" = "yes" ]; then
+          has_sudo && exec sudo -E -H -u "${DEHYDRATED_USER}" "${0}" "${ORIGARGS[@]}"
+        else
+          has_sudo && exec sudo -u "${DEHYDRATED_USER}" "${0}" "${ORIGARGS[@]}"
+        fi
        fi
      else
        TARGET_GID="$(getent group "${DEHYDRATED_GROUP}" | cut -d':' -f3)" || _exiterr "DEHYDRATED_GROUP ${DEHYDRATED_GROUP} is invalid"
@@ -452,7 +457,11 @@ load_config() {
        fi
        if [[ "${EUID}" != "${TARGET_UID}" ]] || [[ "${EGID}" != "${TARGET_GID}" ]]; then
          echo "# INFO: Running $0 as ${DEHYDRATED_USER}/${DEHYDRATED_GROUP}"
-        has_sudo && exec sudo -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" "${ORIGARGS[@]}"
+        if [ "${DEHYDRATED_SUDO_ENV}" = "yes" ]; then
+          has_sudo && exec sudo -E -H -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" "${ORIGARGS[@]}"
+        else
+          has_sudo && exec sudo -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" "${ORIGARGS[@]}"
+        fi
        fi
      fi
    elif [[ -n "${DEHYDRATED_GROUP}" ]]; then
diff --git a/docs/examples/config b/docs/examples/config

index 51e38de365d1d64a555d34578bd1373f2cb65ddc..d5189082857b6d2dde0e46d73380a6b9bafd90aa 100644 (file)
--- a/docs/examples/config
+++ b/docs/examples/config
@@ -16,6 +16,9 @@
  # Which group should dehydrated run as? This will be implicitly enforced when running as root
  #DEHYDRATED_GROUP=
  
+# Should dehydrated pass environment variables over sudo?
+#DEHYDRATED_SUDO_ENV="no"
+
  # Resolve names to addresses of IP version only. (curl)
  # supported values: 4, 6
  # default: <unset>
author	Lukas Schauer <lukas@schauer.dev>
	Sun, 4 Aug 2024 10:04:56 +0000 (12:04 +0200)
committer	Lukas Schauer <lukas@schauer.dev>
	Sun, 4 Aug 2024 10:07:34 +0000 (12:07 +0200)
CHANGELOG		patch \| blob \| blame \| history
dehydrated		patch \| blob \| blame \| history
docs/examples/config		patch \| blob \| blame \| history