Rather than dropping --with-secure-path, we should restore sudo's original ability to override the compiled-in secure path with an entry in /etc/sudoers. That way there would be no problem with upgrading, as existing /etc/sudoers would work the same as always. I did some work on this a month or so ago, and actually did succeed in getting this working. Unfortunately, in doing so I created another bug that I couldn't solve because of my ignorance of C. But I'm attaching the diff of my changes in the hope that someone else more knowledgeable can pick up where I left off. I've attached a diff for the sudo source package, but it may well be in the wrong format. If it is, let me know how to create the right sort of diff for you from a sudo source package.
PROBLEMS: There were two big problems with my changes, and I couldn't work out what was causing them: (1) "sudo -i" now fails with the error message "-bash: /bin-bash: No such file or directory", although "sudo bash" and "sudo /bin/bash" both work. (2) In sudo.c, I tried to move the call to the method that sets sudo's variables (init_vars) to after we've read sudoers data from LDAP and the local system. Unfortunately, I kept getting a segmentation fault if I didn't *also* make the call before doing so. INSTRUCTIONS Anyhow here's how to use and test sudo with my changes: 1. IMPORTANT: Download a spare, emergency copy of the sudo deb before you begin. 2. Download, compile, and install GNU Hello with a prefix of /opt/hello. 3. Add /opt/hello/bin to your PATH in /etc/environment. Reboot to implement your new PATH. 4. Verify that "hello" works but "sudo hello" doesn't: [EMAIL PROTECTED]:~$ hello Hello, world! [EMAIL PROTECTED]:~$ sudo hello Password: sudo: hello: command not found 5. Download the sudo source, apply my changes, and build the package. 6. IMPORTANT: Open a TTY session and "sudo -s". This session will allow you to fix your system easily by reinstalling the spare copy of sudo with "dpkg -i" if/when things go horribly wrong. 7. Now install your customized sudo. 8. visudo and add the following single line at the top of the #Defaults section: Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games:/opt/hello/bin" 9. Now verify that both "hello" and "sudo hello" work: [EMAIL PROTECTED]:~$ hello Hello, world! [EMAIL PROTECTED]:~$ sudo hello Password: Hello, world! 10. Test whether sudo can open a shell correctly (this will fail): "sudo -i" 11. Test whether sudo can open bash at all (this won't): "sudo /bin/bash" 12. IMPORTANT: Before uninstalling your new sudo, visudo and comment out the #Defaults line you added in Step 8. 13. Install the current sudo you downloaded in Step 1 with "dpkg -i". -- sudo built with --with-secure-path is problematic https://launchpad.net/bugs/50797 -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
