diff --git a/configure.ac b/configure.ac index e547f7941..4c3def4bf 100644 --- a/configure.ac +++ b/configure.ac @@ -177,6 +177,7 @@ AC_SUBST([sssd_lib]) AC_SUBST([nsswitch_conf]) AC_SUBST([netsvc_conf]) AC_SUBST([secure_path]) +AC_SUBST([secure_path_config]) AC_SUBST([secure_path_status]) AC_SUBST([editor]) AC_SUBST([pam_session]) @@ -230,6 +231,7 @@ sesh_file="$libexecdir/sudo/sesh" visudo="$sbindir/visudo" nsswitch_conf=/etc/nsswitch.conf secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +secure_path_config= secure_path_status="disabled" pam_session=on pam_login_service=sudo @@ -1068,9 +1070,11 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file" SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file]) -AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])], +AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file, or "no" to comment out by default])], [case $with_secure_path_value in - yes|no) AC_MSG_ERROR([must give --secure-path-value an argument.]) + yes) AC_MSG_ERROR([must give --with-secure-path-value an argument.]) + ;; + no) secure_path_config="# " ;; *) secure_path="$with_secure_path_value" ;; diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in index 8368c5e95..9e7621fde 100644 --- a/plugins/sudoers/sudoers.in +++ b/plugins/sudoers/sudoers.in @@ -48,7 +48,7 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL" ## Use a hard-coded PATH instead of the user's to find commands. ## This also helps prevent poorly written scripts from running ## artbitrary commands under sudo. -Defaults secure_path="@secure_path@" +@secure_path_config@Defaults secure_path="@secure_path@" ## ## You may wish to keep some of the following environment variables ## when running commands via sudo.