** Description changed: I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config: Defaults env_reset source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py This results in a highly insecure Python environment because the source user can set HOME and override any Python package by putting files in $HOME/.local/lib/python*/site-packages/. This should be a safe configuration because the default behaviour (as specified in the man page) is that env_reset will replace HOME with the target user's home directory. The "env_reset" option even has special behaviour for bash which has its own potential environment vulnerabilities. However there is an Ubuntu-specific patch in the package (keep_home_by_default.patch) that makes sudo preserve HOME by default, which negates the correct behaviour of "env_reset". It should not be necessary to explicitly specify the "always_set_home" option in order to negate this patch. The patch should be removed and the default /etc/sudoers should explicitly add HOME to "env_keep" for the "allow admins to run any command as root" entries, to get the desired behaviour without creating security issues for other sudoers commands. + + + Note: for quick reference to anyone coming to this bug, this behavior (of sudo keeping the calling user's $HOME) can be disabled by running 'sudo visudo' and adding this line: + + Defaults always_set_home
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1556302 Title: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default Status in sudo package in Ubuntu: Confirmed Bug description: I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config: Defaults env_reset source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py This results in a highly insecure Python environment because the source user can set HOME and override any Python package by putting files in $HOME/.local/lib/python*/site-packages/. This should be a safe configuration because the default behaviour (as specified in the man page) is that env_reset will replace HOME with the target user's home directory. The "env_reset" option even has special behaviour for bash which has its own potential environment vulnerabilities. However there is an Ubuntu-specific patch in the package (keep_home_by_default.patch) that makes sudo preserve HOME by default, which negates the correct behaviour of "env_reset". It should not be necessary to explicitly specify the "always_set_home" option in order to negate this patch. The patch should be removed and the default /etc/sudoers should explicitly add HOME to "env_keep" for the "allow admins to run any command as root" entries, to get the desired behaviour without creating security issues for other sudoers commands. Note: for quick reference to anyone coming to this bug, this behavior (of sudo keeping the calling user's $HOME) can be disabled by running 'sudo visudo' and adding this line: Defaults always_set_home To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
