The exempt_group option in sudo does not work on Red Hat Enterprise Linux

Solution Verified - Updated -


Red Hat Enterprise Linux (RHEL) 5
Red Hat Enterprise Linux (RHEL) 6


The exempt_group option is not working correctly for sudo-1.7.4p5-13.el6_3.

For following configuration in /etc/sudoers

User_Alias  EXEMPTUSER = exempt
Defaults    exempt_group = EXEMPTUSER
Defaults    env_reset
Defaults    env_keep += "PATH"
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/bin
exempt      ALL = NOPASSWD: /tmp/

sudo is expected to keep PATH environment variable for user exempt, member of exempt_group.

Currently the PATH variable is not preserved but replaced with secure_path defined in sudoers.


Choose or create system group you want to grant the exempt_group Defaults and ensure user exempt is member of that group:

# id -Gn exempt


User_Alias  EXEMPTUSER = exempt

line and change line

Defaults    exempt_group = EXEMPTUSER


Defaults    exempt_group = exempt

in sudoers.

Root Cause

The exempt_group Defaults option expects system group to be specified, not User_Alias alias defined in /etc/sudoers.

Diagnostic Steps

Steps to reproduce the issue:

  1. Configure /etc/sudoers according to reported issue.

  2. Create executable script /tmp/ containing:

    echo $PATH
  3. Check PATH when logged as root:

    # echo $PATH 
  4. Check PATH when logged as exempt (in system group exempt):

    $ echo $PATH 
  5. check the output of sudo /tmp/ when logged as exempt:

    $ sudo /tmp/ 

Expected echoed path (due to the exempt_group Defaults option) is:


The sudoers manual page says following on exempt_group and User_Alias:

There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.


     User_Alias ::= NAME '=' User_List


     Users in this group are exempt from password and PATH requirements. This is not set by default.


     Path used for every command run from sudo.  If you don’t trust the people running sudo to have a sane
     PATH environment variable you may want to use this.  Another use is if you want to have the "root path"
     be separate from the "user path."  Users in the group specified by the exempt_group option are not
     affected by secure_path. This option is not set by default.

Therefore Defaults exempt_group should be set to system group, not the User_Alias.

Repeat the reproducer with

Defaults    exempt_group = exempt

in sudoers.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.