Re: Too much log for sudo.

To: <debian-user@lists.debian.org>
Subject: Re: Too much log for sudo.
From: Karl Vogel <vogelke@pobox.com>
Date: Thu, 12 Oct 2023 18:26:48 -0400
Message-id: <[🔎] ZShyqEH0gZn3cfCZ@furbag>
Reply-to: vogelke@pobox.com
In-reply-to: <[🔎] 3fbed0c1-f120-4838-813b-660e67ad9db7@rail.eu.org>
References: <[🔎] 3fbed0c1-f120-4838-813b-660e67ad9db7@rail.eu.org>

On Thu, Oct 12, 2023 at 11:22:00AM -0400, Erwan David wrote:
> I use a script to run borg backup. For it to be able to backup files that
> only root may read, i use sudo --preserv-env=BORG_REPO,BORG_PASSPHRASE.
> 
> However I see that in the logs the VALUE of the env variable is loggued. How
> to change this?

You can either run "sudo -E" to push the entire environment through without
echoing any values in the sudo log, or play some games by re-invoking the
script with a clean environment.  My environment with the BORG variables:

    me% export BORG_REPO=/path/to/repo
    me% export BORG_PASSPHRASE='horse battery'

    me% env | sort
    ATTRIBUTION=%f wrote:
    BLOCKSIZE=1m
    BORG_PASSPHRASE=horse battery
    BORG_REPO=/path/to/repo
    EDITOR=vim

    [diaper-load of other variables]

    XDG_CACHE_HOME=/home/vogelke/.cache
    XDG_CONFIG_HOME=/home/vogelke/.config
    XDG_DATA_HOME=/home/vogelke/.local/share
    XDG_RUNTIME_DIR=/home/vogelke/.local/run
    XDG_STATE_HOME=/home/vogelke/.local/state

Script to see if I'm running under a regular environment -- if so, restart
the same script with a bare minimum environment plus the BORG variables:

    me% cat tst
    #!/bin/bash
    #<tst: rerun script under sudo using bash and env to clean environment.

    export PATH=/usr/local/bin:/bin:/usr/bin
    tag=${0##*/}
    umask 022

    logmsg () { echo "$(date '+%F %H:%M:%N') $tag: $@"; }

    # Clean environment and start over.
    case "$HOME" in
        "") logmsg 'clean environment' ;;

        *)  logmsg 'running exec'
            exec sudo env -i BORG_REPO="$BORG_REPO" \
                BORG_PASSPHRASE="$BORG_PASSPHRASE" $0 ;;
    esac

    printf '\nRunning:\n';     ps -p $$
    printf '\nID:\n';          id
    printf '\nEnvironment:\n'; env | sort
    exit 0

Results:

    me% ./tst
    2023-10-12 18:14:537431139 tst: running exec
    2023-10-12 18:14:543722293 tst: clean environment

    Running:
      PID TT  STAT    TIME COMMAND
    41675  1  S+   0:00.00 /bin/bash ./tst

    ID:
    uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

    Environment:
    BORG_PASSPHRASE=horse battery
    BORG_REPO=/path/to/repo
    PATH=/usr/local/bin:/bin:/usr/bin
    PWD=/home/vogelke/notebook/2023/1012/clean-shell-environment
    SHLVL=1
    _=/usr/bin/env

Hope this gives you some ideas.

-- 
Karl Vogel                      I don't speak for anyone but myself.

Mary had a little key
she kept it in escrow
and everything that Mary sent
the Feds were sure to know.         -- Andy Starritt, in sci.crypt

Reply to:

References:
- Too much log for sudo.
  - From: Erwan David <erwan@rail.eu.org>

Prev by Date: Re: Too much log for sudo.
Next by Date: Re: Too much log for sudo.
Previous by thread: Re: Too much log for sudo.
Next by thread: Linux source 6.1.38 with Debian patches
Index(es):
- Date
- Thread