Preserve PATH when using sudo -E

jupyterhub admins should be able to run `sudo -E pip install numpy`
and install numpy into the user environment. However, since pip
is in the PATH we explicitly set in jupyterhub_config.py and
sudo doesn't preserve PATH, this won't work.

We exempt jupyterhub-admins groups from the PATH restriction,
so sudo -E works. This has some security costs, but we are already
allowing passwordless roots for them with unrestricted paths...

tljh/installer.py

@@ -73,7 +73,12 @@ user.ensure_group('jupyterhub-admins')
 user.ensure_group('jupyterhub-users')
 
 with open('/etc/sudoers.d/jupyterhub-admins', 'w') as f:
-    f.write('%jupyterhub-admins ALL = (ALL) NOPASSWD: ALL')
+    # JupyterHub admins should have full passwordless sudo access
+    f.write('%jupyterhub-admins ALL = (ALL) NOPASSWD: ALL\n')
+    # `sudo -E` should preserve the $PATH we set. This allows
+    # admins in jupyter terminals to do `sudo -E pip install <package>`,
+    # `pip` is in the $PATH we set in jupyterhub_config.py to include the user conda env.
+    f.write('Defaults exempt_group = jupyterhub-admins')
 
 conda.ensure_conda_env(USER_ENV_PREFIX)
 conda.ensure_conda_packages(USER_ENV_PREFIX, [