** Changed in: ubuntu-release-notes
Status: Confirmed => Incomplete
** Changed in: sudo (Ubuntu Xenial)
Assignee: (unassigned) => lolo (lolo2020)
** Changed in: sudo (Ubuntu Bionic)
Assignee: (unassigned) => lolo (lolo2020)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands vulnerable
by default
Status in Release Notes for Ubuntu:
Incomplete
Status in sudo package in Ubuntu:
Fix Released
Status in sudo source package in Xenial:
In Progress
Status in sudo source package in Bionic:
In Progress
Status in sudo source package in Cosmic:
Won't Fix
Status in sudo source package in Disco:
Won't Fix
Status in sudo source package in Eoan:
Fix Released
Bug description:
[impact]
sudo does not set HOME to the target user's HOME
[test case]
ddstreet@thorin:~$ sudo printenv | grep HOME
HOME=/home/ddstreet
[regression potential]
this is a significant behavior change. As mentioned in comment 11
(and later, and other bugs duped to this, and the mailing list
discussion, etc) users of Ubuntu so far have been used to running sudo
with their own HOME set, not root's HOME. Therefore, it's
inappropriate to change this behavior for existing releases; this
should be changed starting in Eoan, and only the sudo and sudoers man
pages changed in previous releases to indicate the actual behavior of
sudo in those releases.
[other info]
Shortly after upstream changed the behavior, the patch to keep HOME as
the calling (instead of target) user was added in bug 760140.
For quick reference to anyone coming to this bug, the pre-19.10
behavior (of sudo keeping the calling user's $HOME) can be disabled by
running 'sudo visudo' and adding this line:
Defaults always_set_home
or, run sudo with the -H param.
--
original description:
--
I wanted to allow certain users to execute a python script as another user,
so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py
This results in a highly insecure Python environment because the
source user can set HOME and override any Python package by putting
files in $HOME/.local/lib/python*/site-packages/.
This should be a safe configuration because the default behaviour (as
specified in the man page) is that env_reset will replace HOME with
the target user's home directory. The "env_reset" option even has
special behaviour for bash which has its own potential environment
vulnerabilities.
However there is an Ubuntu-specific patch in the package
(keep_home_by_default.patch) that makes sudo preserve HOME by default,
which negates the correct behaviour of "env_reset". It should not be
necessary to explicitly specify the "always_set_home" option in order
to negate this patch.
The patch should be removed and the default /etc/sudoers should
explicitly add HOME to "env_keep" for the "allow admins to run any
command as root" entries, to get the desired behaviour without
creating security issues for other sudoers commands.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1556302/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
