Add /bin to sudo secure_path

base-notebook/start.sh

@@ -50,9 +50,11 @@ if [ $(id -u) == 0 ] ; then
     if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then
         echo "Granting $NB_USER sudo access and appending $CONDA_DIR/bin to sudo PATH"
         echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook
-        sed -ri "s#Defaults\s+secure_path=\"([^\"]+)\"#Defaults secure_path=\"\1:$CONDA_DIR/bin\"#" /etc/sudoers
     fi
 
+    # Add $CONDA_DIR/bin to sudo secure_path
+    sed -ri "s#Defaults\s+secure_path=\"([^\"]+)\"#Defaults secure_path=\"\1:$CONDA_DIR/bin\"#" /etc/sudoers
+
     # Exec the command as NB_USER with the PATH and the rest of
     # the environment preserved
     echo "Executing the command: $cmd"

base-notebook/test/test_container_options.py

@@ -85,6 +85,18 @@ def test_sudo_path(container):
     assert c.logs(stdout=True).decode('utf-8').rstrip().endswith('/opt/conda/bin/jupyter')
 
 
+def test_sudo_path_without_grant(container):
+    """Container should include /opt/conda/bin in the sudo secure_path."""
+    c = container.run(
+        tty=True,
+        user='root',
+        command=['start.sh', 'which', 'jupyter']
+    )
+    rv = c.wait(timeout=10)
+    assert rv == 0
+    assert c.logs(stdout=True).decode('utf-8').rstrip().endswith('/opt/conda/bin/jupyter')
+
+
 def test_group_add(container, tmpdir):
     """Container should run with the specified uid, gid, and secondary
     group.