Re: Too much log for sudo.
On Thu, Oct 12, 2023 at 11:22:00AM -0400, Erwan David wrote:
> I use a script to run borg backup. For it to be able to backup files that
> only root may read, i use sudo --preserv-env=BORG_REPO,BORG_PASSPHRASE.
>
> However I see that in the logs the VALUE of the env variable is loggued. How
> to change this?
You can either run "sudo -E" to push the entire environment through without
echoing any values in the sudo log, or play some games by re-invoking the
script with a clean environment. My environment with the BORG variables:
me% export BORG_REPO=/path/to/repo
me% export BORG_PASSPHRASE='horse battery'
me% env | sort
ATTRIBUTION=%f wrote:
BLOCKSIZE=1m
BORG_PASSPHRASE=horse battery
BORG_REPO=/path/to/repo
EDITOR=vim
[diaper-load of other variables]
XDG_CACHE_HOME=/home/vogelke/.cache
XDG_CONFIG_HOME=/home/vogelke/.config
XDG_DATA_HOME=/home/vogelke/.local/share
XDG_RUNTIME_DIR=/home/vogelke/.local/run
XDG_STATE_HOME=/home/vogelke/.local/state
Script to see if I'm running under a regular environment -- if so, restart
the same script with a bare minimum environment plus the BORG variables:
me% cat tst
#!/bin/bash
#<tst: rerun script under sudo using bash and env to clean environment.
export PATH=/usr/local/bin:/bin:/usr/bin
tag=${0##*/}
umask 022
logmsg () { echo "$(date '+%F %H:%M:%N') $tag: $@"; }
# Clean environment and start over.
case "$HOME" in
"") logmsg 'clean environment' ;;
*) logmsg 'running exec'
exec sudo env -i BORG_REPO="$BORG_REPO" \
BORG_PASSPHRASE="$BORG_PASSPHRASE" $0 ;;
esac
printf '\nRunning:\n'; ps -p $$
printf '\nID:\n'; id
printf '\nEnvironment:\n'; env | sort
exit 0
Results:
me% ./tst
2023-10-12 18:14:537431139 tst: running exec
2023-10-12 18:14:543722293 tst: clean environment
Running:
PID TT STAT TIME COMMAND
41675 1 S+ 0:00.00 /bin/bash ./tst
ID:
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
Environment:
BORG_PASSPHRASE=horse battery
BORG_REPO=/path/to/repo
PATH=/usr/local/bin:/bin:/usr/bin
PWD=/home/vogelke/notebook/2023/1012/clean-shell-environment
SHLVL=1
_=/usr/bin/env
Hope this gives you some ideas.
--
Karl Vogel I don't speak for anyone but myself.
Mary had a little key
she kept it in escrow
and everything that Mary sent
the Feds were sure to know. -- Andy Starritt, in sci.crypt
Reply to: