sudo @1.9.16 -- sudo: port: command not found

[RobK88]

I just installed sudo @1.9.16 on my Mac running El Capitan.

I am using the default sudoers file. No changes.

But I cannot run the sudo port command. I get command not found.

I have rebooted my Mac. Same problem.

MacBook-Pro:~ grinch$ which sudo
/opt/local/bin/sudo

MacBook-Pro:~ grinch$ which port
/opt/local/bin/port

MacBook-Pro:~ grinch$ echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin
 
MacBook-Pro:~ grinch$ sudo echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

MacBook-Pro:~ grinch$ sudo port outdated
sudo: port: command not found

MacBook-Pro:~ grinch$ dscacheutil -q group -a name admin
name: admin
password: *
gid: 80
users: root grinch rob 

MacBook-Pro:~ grinch$

[RobK88]

/opt/local/etc sudoers file

[Schamschula (Marius Schamschula)]

That's strange!

sudo works, as you were able to run sudo echo $PATH

Try opening a new shell.

[RobK88]

Hmm.. Here is another example of the problem.... Opening a new shell does not solve the problem.

grinch$ which sudo
/opt/local/bin/sudo

grinch$ sudo which port
grinch$

grinch$ bash
bash-5.2$ 
 
bash-5.2$ which sudo
/opt/local/bin/sudo

bash-5.2$ which port
/opt/local/bin/port

bash-5.2$ sudo which port
 
bash-5.2$ sudo port
sudo: port: command not found

[RobK88]

Strange sudo works for some commands but not all.. I am logged in as an admin user.

bash-5.2$ echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin
 
bash-5.2$ sudo echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

bash-5.2$ sudo port
sudo: port: command not found

[Schamschula (Marius Schamschula)]

Try sudo bash, and then run which port and echo $PATH.

However, sudo port has always worked for me.

BTW: you've got /usr/local/bin in your path. That may cause some issues, if there is anything installed there.

[RobK88]

I can run port with sudo but I must supply the full path to port

bash-5.2$ sudo /opt/local/bin/port version
Version: 2.10.1

bash-5.2$ sudo port version
sudo: port: command not found

bash-5.2$ echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

bash-5.2$ sudo echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

[RobK88]

Here you go..

bash-5.2$ sudo bash
bash-3.2# 
bash-3.2# which port
bash-3.2# 
bash-3.2# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
bash-3.2#

[RobK88]

Here is more info:

bash-3.2# cat /etc/profile
# System-wide .profile for sh(1)

if [ -x /usr/libexec/path_helper ]; then
	eval `/usr/libexec/path_helper -s`
fi

if [ "${BASH-no}" != "no" ]; then
	[ -r /etc/bashrc ] && . /etc/bashrc
fi
bash-3.2# 

bash-3.2# cat /etc/bashrc
# System-wide .bashrc file for interactive bash(1) shells.
if [ -z "$PS1" ]; then
   return
fi

PS1='\h:\W \u\$ '
# Make bash check its window size after a process completes
shopt -s checkwinsize

[ -r "/etc/bashrc_$TERM_PROGRAM" ] && . "/etc/bashrc_$TERM_PROGRAM"


bash-3.2# cat ~/.bash_profile
cat: /Users/grinch/.bash_profile: No such file or directory

bash-3.2# cat ~/.profile

# MacPorts Installer addition on 2024-08-19_at_18:46:59: adding an appropriate PATH variable for use with MacPorts.
export PATH="/opt/local/bin:/opt/local/sbin:$PATH"
# Finished adapting your PATH environment variable for use with MacPorts.

bash-3.2#

[Schamschula (Marius Schamschula)]

So, it seems, we have a path issue! When I'm running sudo bash, I get

bash-5.2# echo $PATH
/opt/local/bin:/opt/local/sbin:/Users/marius/Development/MacPorts/ports/bin:/Users/marius/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/X11R6/bin

Note: I'm running MacPorts bash, rather than the ancient version in macOS.

[ryandesign (Ryan Carsten Schmidt)]

Replying to RobK88:

MacBook-Pro:~ grinch$ sudo echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

$PATH gets expanded by your current shell before sudo is ever executed.

[RobK88]

I have also installed MacPorts bash. But for some reason when I execute sudo bash, the old bash runs:

grinch$ bash --version
GNU bash, version 5.2.32(1)-release (x86_64-apple-darwin15.6.0)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Harrys-and-Moms-MacBook-Pro:~ grinch$ sudo bash
bash-3.2# 
bash-3.2# bash --version
GNU bash, version 3.2.57(1)-release (x86_64-apple-darwin15)
Copyright (C) 2007 Free Software Foundation, Inc.
bash-3.2#

[RobK88]

Accordong to the bash manual:

When an interactive shell that is not a login shell  is  started,  bash
reads  and executes commands from ~/.bashrc, if that file exists.  This
may be inhibited by using the --norc option.  The --rcfile file  option
will  force  bash  to  read  and  execute commands from file instead of
~/.bashrc.

The MacPorts paths are added in ~/.profile. ~/.bashrc does not exist. P.S. I tried adding the MacPorts paths in ~/.bashrc. It did not work.

bash-3.2# cat ~/.profile

# MacPorts Installer addition on 2024-08-19_at_18:46:59: adding an appropriate PATH variable for use with MacPorts.
export PATH="/opt/local/bin:/opt/local/sbin:$PATH"
# Finished adapting your PATH environment variable for use with MacPorts.

bash-3.2# 
bash-3.2# cat ~/.bashrc 
cat: /Users/grinch/.bashrc: No such file or directory

[RobK88]

I am baffled. bash appears to be configured properly. But sudo does not appear to obey the $PATH.

grinch$ echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

grinch$ sudo echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

grinch$ sudo bash
bash-3.2# 
bash-3.2# echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

bash-3.2# sudo port
sudo: port: command not found
bash-3.2# 

[RobK88]

Please note that everything works again once I uninstall MacPorts sudo. I do think there is a bug with the sudo port at least when one is running El Capitan:

grinch$ echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin
 
grinch$ port version
Version: 2.10.1

grinch$ sudo port version
Version: 2.10.1
 
grinch$ bash --version
GNU bash, version 5.2.32(1)-release (x86_64-apple-darwin15.6.0)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

grinch$ bash
bash-5.2$ 

bash-5.2$ bash --version
GNU bash, version 5.2.32(1)-release (x86_64-apple-darwin15.6.0)
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
bash-5.2$ 

[Schamschula (Marius Schamschula)]

As everything works under current macOS versions, it is difficult for me to track down the issue on an OS I currently no longer can test on.

There are other MacPorts maintainers who do run older OS versions (including on PPC machines). Hopefully, one of them can chime in if the current version of sudo is working on their machine.

[jmroot (Joshua Root)]

From your attached sudoers:

Defaults        env_reset

PATH is not among the variables subsequently added to env_keep. See also the secure_path setting.

[RobK88]

I found the bug in the sudo port!!

The default /opt/local/etc/sudoers file in the sudo port sets the secure_path variable:

## Use a hard-coded PATH instead of the user's to find commands.
## This also helps prevent poorly written scripts from running
## artbitrary commands under sudo.
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

I recommend that the sudo port patch the /opt/local/etc/sudoers file and comment out the above Defaults line.

P.S. One could set the Defaults line to something like:

Defaults secure_path=$PATH

But that would defeat the whole purpose of the secure_path variable since a script or a person could easily change the PATH variable.

I commented out the Defaults secure_path line and now everything works! sudo can now find the port command.

P.S. You may want to see ​https://unix.stackexchange.com/questions/83191/how-to-make-sudo-preserve-path

[Schamschula (Marius Schamschula)]

Sure enough: On my system that line is commented out (as that sudoers file has been there a long time), but sudoers.dist doesn't have a comment on that line.

I'm not sure when this was changed upstream: need to check the release notes.

--with-secure-path-value can be use do set this correctly.

[Schamschula (Marius Schamschula)]

Indeed: According to the release notes, this change was just introduced with version 1.9.16.

[jmroot (Joshua Root)]

Replying to Schamschula:

I'm not sure when this was changed upstream: need to check the release notes.

I remember we went through this years ago when Apple first shipped a version that defaulted to sanitising the environment.

Using whatever PATH happens to be set is not a good (secure) default, but adding the MacPorts prefix to the default secure_path might be OK.

[Schamschula (Marius Schamschula)]

Replying to jmroot:

Replying to Schamschula:

I'm not sure when this was changed upstream: need to check the release notes.

I remember we went through this years ago when Apple first shipped a version that defaulted to sanitising the environment.

Using whatever PATH happens to be set is not a good (secure) default, but adding the MacPorts prefix to the default secure_path might be OK.

I'm thinking of substituting the MacPorts path for /usr/local/*, i.e. setting

--with-secure-path-value=/opt/local/sbin:/opt/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

If someone wants/needs /usr/local/bin or /usr/local/sbin, they can edit sudoers, even though that has several hurdles. In my case, the command line tools for BBEdit are installed under /usr/local/bin .

[RobK88]

Setting secure_path will definitely make sudo and one's Mac more secure. But you will likely get more bug reports when users can no longer use sudo to execute commands in /usr/local/bin etc.

If you decide to set secure_path, I would also recommend updating the notes section of the portfile to notify users that they will need to update the /opt/local/etc/sudoers file if they want sudo to execute commands in paths like /usr/local/bin etc

Personally, I would just comment out the DEFAULTS secure_path line in the sudoers file. And just tell users to modify the sudoers file to their needs like before.

[Schamschula (Marius Schamschula)]

Well, that defeats the upstream change, which was introduced for a good reason.

Maybe I should keep /usr/local/sbin:/usr/local/bin in the secure_path. That should cover most use cases. If someone has something in ~/bin or elsewhere then they will have to run visudo as the notes already suggest.

[RobK88]

If you want to keep the upstream change, at minimum you will need to prefix /opt/local/bin:/opt/local/sbin: to secure_path.

FYI, here is my $PATH. Pretty standard. Note the /opt/X11/bin at the end of $PATH

/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/opt/X11/bin

Setting secure_path will certainly make sudo more secure. But I would add a note to the notes section of the Portfile

notes "
To complete the installation, run:

\t${prefix}/bin/sudo ${prefix}/sbin/visudo

Edit as necessary. (See the sudoers manpage for additional information.)

Please note that you may need to edit 'defaults secure_path' in the sudoers file if you use a non-standard $PATH value
"

[Marius Schamschula <mschamschula@…>]

In 012cb5c830f26a941f4c3d6273aff7ea09a4aab2/macports-ports (master):

sudo: set secure_path, update notes, and reorder configure.args

Closes: #70680