** Description changed: + [impact] + + sudo does not set HOME to the target user's HOME + + [test case] + + ddstreet@thorin:~$ sudo printenv | grep HOME + HOME=/home/ddstreet + + [regression potential] + + this is a significant behavior change. As mentioned in comment 11 (and + later, and other bugs duped to this, and the mailing list discussion, + etc) users of Ubuntu so far have been used to running sudo with their + own HOME set, not root's HOME. Therefore, it's inappropriate to change + this behavior for existing releases; this should be changed starting in + Eoan, and only the sudo and sudoers man pages changed in previous + releases to indicate the actual behavior of sudo in those releases. + + [other info] + + Shortly after upstream changed the behavior, the patch to keep HOME as + the calling (instead of target) user was added in bug 760140. + + For quick reference to anyone coming to this bug, the pre-19.10 behavior + (of sudo keeping the calling user's $HOME) can be disabled by running + 'sudo visudo' and adding this line: + + Defaults always_set_home + + or, run sudo with the -H param. + + -- + original description: + -- + I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config: Defaults env_reset source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py This results in a highly insecure Python environment because the source user can set HOME and override any Python package by putting files in $HOME/.local/lib/python*/site-packages/. This should be a safe configuration because the default behaviour (as specified in the man page) is that env_reset will replace HOME with the target user's home directory. The "env_reset" option even has special behaviour for bash which has its own potential environment vulnerabilities. However there is an Ubuntu-specific patch in the package (keep_home_by_default.patch) that makes sudo preserve HOME by default, which negates the correct behaviour of "env_reset". It should not be necessary to explicitly specify the "always_set_home" option in order to negate this patch. The patch should be removed and the default /etc/sudoers should explicitly add HOME to "env_keep" for the "allow admins to run any command as root" entries, to get the desired behaviour without creating security issues for other sudoers commands. - - -------------------------------------------------------------------------- - - Note: for quick reference to anyone coming to this bug, this behavior - (of sudo keeping the calling user's $HOME) can be disabled by running - 'sudo visudo' and adding this line: - - Defaults always_set_home
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1556302 Title: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
