Re: Too much log for sudo.

To: debian-user@lists.debian.org
Subject: Re: Too much log for sudo.
From: Andy Smith <andy@strugglers.net>
Date: Thu, 12 Oct 2023 22:15:26 +0000
Message-id: <ZShv/gz+UTOWP8h2@mail.bitfolk.com>
In-reply-to: <[🔎] 3fbed0c1-f120-4838-813b-660e67ad9db7@rail.eu.org>
References: <[🔎] 3fbed0c1-f120-4838-813b-660e67ad9db7@rail.eu.org>

Hi,

On Thu, Oct 12, 2023 at 05:20:58PM +0200, Erwan David wrote:
> I use a script to run borg backup. For it to be able to backup files that
> only root may read, i use sudo --preserv-env=BORG_REPO,BORG_PASSPHRASE.
> 
> However I see that in the logs the VALUE of the env variable is loggued. How
> to change this ?

I don't think there is a way to stop that happening. If sudo will
log, it logs the names and values of any environment you specify on
its command line.

Your options as far as I am aware:

- Preserve your entire environment with sudo --preserve-env (no
  specific variables). It won't log the entire environment.

- Add an entry to sudoers that says to not log this particular
  command. There'll be no logging at all.

- Run the job as root to begin with.

- Make your script source another shell file that contains

  BORG_PASSPHRASE=whatever

  and have that file with appropriate restricted permissions.

Thanks,
Andy

Reply to:

Follow-Ups:
- Re: Too much log for sudo.
  - From: Andy Smith <andy@strugglers.net>

References:
- Too much log for sudo.
  - From: Erwan David <erwan@rail.eu.org>

Prev by Date: Re: trixie update/upgrade strangeness
Next by Date: Re: Too much log for sudo.
Previous by thread: Too much log for sudo.
Next by thread: Re: Too much log for sudo.
Index(es):
- Date
- Thread