[Bug 1556302] Re: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default
Dan Streetman
dan.streetman at canonical.com
Tue May 14 16:20:39 UTC 2019
For additional clarification:
As mentioned already, the Ubuntu patch diverges from upstream sudo.
Additionally, here what other Linux distros do:
ddstreet at debian:~$ printenv | grep HOME
HOME=/home/ddstreet
ddstreet at debian:~$ sudo printenv | grep HOME
HOME=/root
[ddstreet at fedora-workstation ~]$ printenv | grep '^HOME'
HOME=/home/ddstreet
[ddstreet at fedora-workstation ~]$ sudo printenv | grep '^HOME'
HOME=/root
[ddstreet at fedora-server ~]$ printenv | grep '^HOME'
HOME=/home/ddstreet
[ddstreet at fedora-server ~]$ sudo printenv | grep '^HOME'
HOME=/root
[ddstreet at rhel-8 ~]$ printenv | grep HOME
HOME=/home/ddstreet
[ddstreet at rhel-8 ~]$ sudo printenv | grep HOME
HOME=/root
ddstreet at opensuse-15:~> printenv | grep HOME
HOME=/home/ddstreet
ddstreet at opensuse-15:~> sudo printenv | grep HOME
HOME=/root
ddstreet at sles-15:~> printenv | grep HOME
HOME=/home/ddstreet
ddstreet at sles-15:~> sudo printenv | grep HOME
HOME=/root
ddstreet at slackware:~$ printenv | grep HOME
HOME=/home/ddstreet
ddstreet at slackware:~$ sudo printenv | grep HOME
HOME=/root
And even other UNIXes:
ddstreet at netbsd-8: $ printenv | grep HOME
HOME=/home/ddstreet
ddstreet at netbsd-8: $ sudo printenv | grep HOME
HOME=/root
ddstreet at freebsd-12: $ printenv | grep HOME
HOME=/home/ddstreet
ddstreet at freebsd-12: $ sudo printenv | grep HOME
HOME=/root
openbsd$ printenv | grep HOME
HOME=/home/ddstreet
openbsd$ sudo printenv | grep HOME
HOME=/root
We appear to be completely alone in adding HOME to env_keep by default.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands vulnerable
by default
Status in sudo package in Ubuntu:
Confirmed
Bug description:
I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py
This results in a highly insecure Python environment because the
source user can set HOME and override any Python package by putting
files in $HOME/.local/lib/python*/site-packages/.
This should be a safe configuration because the default behaviour (as
specified in the man page) is that env_reset will replace HOME with
the target user's home directory. The "env_reset" option even has
special behaviour for bash which has its own potential environment
vulnerabilities.
However there is an Ubuntu-specific patch in the package
(keep_home_by_default.patch) that makes sudo preserve HOME by default,
which negates the correct behaviour of "env_reset". It should not be
necessary to explicitly specify the "always_set_home" option in order
to negate this patch.
The patch should be removed and the default /etc/sudoers should
explicitly add HOME to "env_keep" for the "allow admins to run any
command as root" entries, to get the desired behaviour without
creating security issues for other sudoers commands.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions
More information about the foundations-bugs
mailing list