starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Doesn't pass environment variables when run via sudo #622

New Issue
Open
opened 2025-12-29 01:27:54 +01:00 by adam · 3 comments
adam commented 2025-12-29 01:27:54 +01:00
Owner
Copy Link

Originally created by @haarp on GitHub (Aug 4, 2024).

Hey!

currently implementing dehydrated into my environment. I'm using lexicon for the dns-01 challenge.

As I'm using DEHYDRATED_USER and DEHYDRATED_GROUP, sudo is used to run the script. However, sudo by default does not pass environment variables. As a result the clear and easy way of running dehydrated+lexicon using env variables as described here (with this hook) does not work.

This can easily be mitigated by having sudo pass env variables. The -E -H options should be added. -E passes env variables, while -H sets a proper HOME (which would be the wrong one from the env vars otherwise)

I've been running it this way for a while now and see no issues. Would you consider making this the default?

Thanks a lot!

Originally created by @haarp on GitHub (Aug 4, 2024). Hey! currently implementing dehydrated into my environment. I'm using [lexicon](https://github.com/AnalogJ/lexicon) for the dns-01 challenge. As I'm using `DEHYDRATED_USER` and `DEHYDRATED_GROUP`, sudo is used to run the script. However, sudo by default does not pass environment variables. As a result the clear and easy way of running dehydrated+lexicon using env variables as described [here](https://dns-lexicon.readthedocs.io/en/latest/user_guide.html#let-s-encrypt-instructions) (with [this hook](https://github.com/AnalogJ/lexicon/blob/master/examples/dehydrated.default.sh)) does not work. This can easily be mitigated by having sudo pass env variables. The `-E -H` options should be added. `-E` passes env variables, while `-H` sets a proper `HOME` (which would be the wrong one from the env vars otherwise) I've been running it this way for a while now and see no issues. Would you consider making this the default? Thanks a lot!
adam commented 2025-12-29 01:27:54 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Aug 4, 2024):

I've created a branch with a new config variable DEHYDRATED_SUDO_ENV that should allow this behaviour. Could you please check if that would solve your problem? https://github.com/dehydrated-io/dehydrated/tree/sudo-env

@lukas2511 commented on GitHub (Aug 4, 2024): I've created a branch with a new config variable `DEHYDRATED_SUDO_ENV` that should allow this behaviour. Could you please check if that would solve your problem? https://github.com/dehydrated-io/dehydrated/tree/sudo-env
adam commented 2025-12-29 01:27:55 +01:00
Author
Owner
Copy Link

@haarp commented on GitHub (Aug 4, 2024):

Hey, thanks for the super quick response! I've thrown 911a822 on top of my dehydrated, added DEHYDRATED_SUDO_ENV=yes to the config and gave it a test with --force --force-validation. It works, thanks a lot!

Tho I wonder if a config variable is really necessary. Generally it's normal to keep the env when dropping privileges, e.g. daemons using setsid/setgid. I'm trying to think of conditions where this env could be problematic. Apart from gross admin incompetence (unrelated secrets stored in env vars being leaked to a malicious hook) I can't think of any.

@haarp commented on GitHub (Aug 4, 2024): Hey, thanks for the super quick response! I've thrown 911a822 on top of my dehydrated, added `DEHYDRATED_SUDO_ENV=yes` to the config and gave it a test with `--force --force-validation`. It works, thanks a lot! Tho I wonder if a config variable is really necessary. Generally it's normal to keep the env when dropping privileges, e.g. daemons using `setsid`/`setgid`. I'm trying to think of conditions where this env could be problematic. Apart from gross admin incompetence (unrelated secrets stored in env vars being leaked to a malicious hook) I can't think of any.
adam commented 2025-12-29 01:27:56 +01:00
Author
Owner
Copy Link

@haarp commented on GitHub (Sep 13, 2025):

Hey, any news on this? Been using the patch in that branch for a while now and have no problems with it. Could you merge it? Cheers!

@haarp commented on GitHub (Sep 13, 2025): Hey, any news on this? Been using the patch in that branch for a while now and have no problems with it. Could you merge it? Cheers!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#622
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?