@kibitih, please don't change the bug status without at least providing
an upload or some kind of explanation
** Changed in: ubuntu-release-notes
Status: Fix Committed => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Changed in: ubuntu-release-notes
Status: Confirmed => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands
** Changed in: ubuntu-release-notes
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands
** Changed in: sudo (Ubuntu Disco)
Status: In Progress => Won't Fix
** Changed in: sudo (Ubuntu Cosmic)
Status: In Progress => Won't Fix
** Changed in: sudo (Ubuntu Bionic)
Assignee: Dan Streetman (ddstreet) => (unassigned)
** Changed in: sudo (Ubuntu Xenial)
Assignee:
Follow up for anyone coming here because of Ubuntu's unique (pre-19.10)
behavior of not changing $HOME when calling sudo; if this is causing you
problems, you should change your calling of sudo to include the -H param
which will force sudo on Ubuntu to change HOME to the target user's
homedir,
** Also affects: ubuntu-release-notes
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom
manpage patches for SRU releases are in git here:
https://code.launchpad.net/~ddstreet/ubuntu/+source/sudo/+git/sudo
and builds here:
https://launchpad.net/~ddstreet/+archive/ubuntu/lp1556302
As this is a manpage-only SRU, it's likely to be rejected if uploaded by
itself; if anyone has any
This bug was fixed in the package sudo - 1.8.27-1ubuntu2
---
sudo (1.8.27-1ubuntu2) eoan; urgency=medium
* Remove d/p/keep_home_by_default.patch (LP: #1556302)
- This restores sudo handling of $HOME to what everyone else does
-- Dan Streetman Tue, 04 Jun 2019 08:58:02
-0400
** Description changed:
+ [impact]
+
+ sudo does not set HOME to the target user's HOME
+
+ [test case]
+
+ ddstreet@thorin:~$ sudo printenv | grep HOME
+ HOME=/home/ddstreet
+
+ [regression potential]
+
+ this is a significant behavior change. As mentioned in comment 11 (and
+ later, and
@vorlon has offered to sponsor this for eoan if/when he has time; once
that's updated I will upload fixes to the documentation (e.g. man pages)
for SRU releases.
** Changed in: sudo (Ubuntu Eoan)
Status: Confirmed => In Progress
** Changed in: sudo (Ubuntu Eoan)
Assignee: Ubuntu
** Description changed:
I wanted to allow certain users to execute a python script as another user,
so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py
This results in a highly insecure Python
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands vulnerable
by default
To manage notifications about
** Patch added: "lp1556302-eoan.debdiff"
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+attachment/5268785/+files/lp1556302-eoan.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Also affects: sudo (Ubuntu Eoan)
Importance: Medium
Assignee: Ubuntu Security Team (ubuntu-security)
Status: Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
from the mailing list discussion (linked above by @racb), this response
from an upstream sudo developer Todd C. Miller:
On Thu, 16 May 2019 07:48:40 -0400, Dan Streetman wrote:
> I've cc'ed sudo-users, so the question to the upstream sudo list can
> be summarized as:
> How likely would it be for
There is a mailing list discussion on this topic currently active here:
https://lists.ubuntu.com/archives/ubuntu-devel-
discuss/2019-May/018345.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
I wanted to allow certain users to execute a python script as another user,
so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py
This results in a highly insecure Python
Another example, which can happen in newly deployed containers/vms:
ubuntu@lp1556302:~$ ls -la .bash_history
ls: cannot access '.bash_history': No such file or directory
ubuntu@lp1556302:~$ sudo bash
root@lp1556302:~# exit
exit
ubuntu@lp1556302:~$ ls -la .bash_history
-rw--- 1 root root 5 May
Further, this behavior causes root-owned files and directories in a
user's home directory, e.g.:
ubuntu@lp1556302:~$ ls -l /home/ubuntu/.vim*
ls: cannot access '/home/ubuntu/.vim*': No such file or directory
ubuntu@lp1556302:~$ sudo vim /tmp/test
ubuntu@lp1556302:~$ ls -l /home/ubuntu/.vim*
The *downside* of reverting our custom patch is that end-users are used
to all their personal customization of applications from $HOME working;
i.e. currently, when anyone runs vim, emacs, bash, etc. under sudo, any
~/.WHATEVER customization they have will be retained. This is different
than,
For additional clarification:
As mentioned already, the Ubuntu patch diverges from upstream sudo.
Additionally, here what other Linux distros do:
ddstreet@debian:~$ printenv | grep HOME
HOME=/home/ddstreet
ddstreet@debian:~$ sudo printenv | grep HOME
HOME=/root
[ddstreet@fedora-workstation ~]$
** Changed in: sudo (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep
I think the Ubuntu patch has been obsoleted by common usage now, with
pretty much all distros using upstream version (of *not* keeping HOME).
Removing the patch would lower the delta we carry; additionally there is
the benefit of having Ubuntu behave as everybody else, lowering the
easter-egg
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands
24 matches
Mail list logo
