Actually, it's a bit more complicated than that. There are a couple of definitions that need to exist in /etc/sudoers
.
The controlling flags that determine what happens with the sudo
environment are: env_check
, env_keep
, and env_reset
.
The man page for sudoers does a good job of explaining this in the "Command environment" section:
$ man --pager="less -p '^\ *Command environment'" sudoers
In an out-of-the-box Ubuntu configuration, the flag that is defined for PATH
is called secure_path
(enabled by default). The value is used in place of the user PATH
to launch sudo
because env_reset
is also enabled by default:
$ man sudoers | egrep "^\ *secure_path" -A4 | sed 's/^ *//'
secure_path If set, sudo will use this value in place of the user's PATH environment variable. This option can be used to reset the PATH to a known good
value that contains directories for system administrator commands such as /usr/sbin.
Users in the group specified by the exempt_group option are not affected by secure_path. This option is not set by default.
(Edit: The last line above is referring to the exempt_group
not being enabled by default, not the secure_path
)
You can modify it using visudo
(recommended) or display it:
$ sudo grep secure_path /etc/sudoers
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
Other times the commands are builtin to bash (like echo
) and are not an executable that you can reference in a PATH
variable. These are the times you have to pipe some value into a sudo bash -c
or other ways.
sudo
is not supposed to find anything. The user runs the command, and sometimes it is preceeded withsudo
. – mikewhatever Aug 27 '22 at 15:10