preserve the FEATURES env variable when calling sudo

Signed-off-by: Reuben Miller <reuben.d.miller@gmail.com>
thin-edge · Oct 4, 2024 · dfee1be · dfee1be
1 parent e8249f5
commit dfee1be
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/images/child-device-container/child.dockerfile b/images/child-device-container/child.dockerfile
@@ -10,7 +10,8 @@ RUN apk add --no-cache \
         tedge-apk-plugin \
         tedge-pki-smallstep-client \
     && echo "tedge  ALL = (ALL) NOPASSWD: /usr/bin/tedge, /usr/bin/tedge-write /etc/*, /etc/tedge/sm-plugins/[a-zA-Z0-9]*, /bin/sync, /bin/kill" > /etc/sudoers.d/tedge \
-    && echo "tedge  ALL = (ALL) NOPASSWD: /usr/bin/step-ca-admin.sh, /usr/bin/enroll.sh, /usr/sbin/update-ca-certificates" > /etc/sudoers.d/step-ca \
+    && echo "Defaults        env_keep += \"FEATURES\"" > /etc/sudoers.d/step-ca \
+    && echo "tedge  ALL = (ALL) NOPASSWD: /usr/bin/step-ca-admin.sh, /usr/bin/enroll.sh, /usr/sbin/update-ca-certificates" >> /etc/sudoers.d/step-ca \
     # Allow tedge user to control this folder
     && mkdir -p /etc/step-ca \
     && chown -R tedge:tedge /etc/step-ca

diff --git a/images/child-device-container/entrypoint.sh b/images/child-device-container/entrypoint.sh
@@ -7,6 +7,8 @@ if [ -n "$PROVISION_PASSWORD" ]; then
     printf -- '%s' "$PROVISION_PASSWORD" > "$PROVISION_PASSWORD_FILE"
     chmod 600 "$PROVISION_PASSWORD_FILE"
 fi
+
+# Note: The FEATURES variable MUST BE included in the env_keep seting of the sudoers file
 (cd /tmp && sudo /usr/bin/enroll.sh --no-inherit-env --provisioner-password-file "$PROVISION_PASSWORD_FILE")
 rm -f "$PROVISION_PASSWORD_FILE"