*** This bug is a duplicate of bug 1556302 ***
https://bugs.launchpad.net/bugs/1556302
I marked this as a dup of bug 1556302, as there seems to be more recent
movement in that bug, and both bugs want the same thing - to revert the
Ubuntu-only patch 'keep_home_by_default.patch'.
** This bug has been marked a duplicate of bug 1556302
Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by
default
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1373495
Title:
sudo shouldn't preserve caller's HOME environment variable by default
Status in One Hundred Papercuts:
Triaged
Status in sudo package in Ubuntu:
Triaged
Bug description:
Currently Ubuntu hard-coded sudo to preserve HOME environment variable
to point to sudo caller's home directory by default(refer bug #760140)
however this is dangerous and error-prone because the program run by
root may create files (e.g. $HOME/.Xauthority , program config files)
into caller's HOME directory **AS ROOT** which, will cause issue when
users run the same program as their normal users' account again and
even make the user failed to login(due to .Xauthority file owner is
incorrect)
In my opinion the Ubuntu patch(keep_home_by_default.patch)(no, Debian
is NOT affected by this issue) that makes $HOME variable keep in sudo
is INSANE and should be reverted(Ubuntu should use the safest
configuration to general users by default), any user wish to run
command as root using their HOME directory should set env_keep in
/etc/sudoers themselves and acknowledging the consequences.
[RootSudo - Community Help
Wiki](https://help.ubuntu.com/community/RootSudo) wrongly tells that
graphical application shouldn't be launched by sudo, but in fact the
real issue falls into this bug.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: sudo 1.8.9p5-1ubuntu1
ProcVersionSignature: Ubuntu 3.16.0-17.23-lowlatency 3.16.3
Uname: Linux 3.16.0-17-lowlatency i686
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: i386
CurrentDesktop: KDE
Date: Thu Sep 25 00:08:44 2014
InstallationDate: Installed on 2013-03-08 (564 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release i386 (20121017.2)
SourcePackage: sudo
UpgradeStatus: Upgraded to trusty on 2014-04-19 (158 days ago)
VisudoCheck:
/etc/sudoers: parsed OK
/etc/sudoers.d/Preserve_input_method_required_environmental_variables:
parsed OK
/etc/sudoers.d/README: parsed OK
modified.conffile..etc.sudoers.d.README: [modified]
mtime.conffile..etc.sudoers.d.README: 2014-09-24T22:26:35.734703
To manage notifications about this bug go to:
https://bugs.launchpad.net/hundredpapercuts/+bug/1373495/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
