[Bug 1556302] Re: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default

Dan Streetman dan.streetman at canonical.com
Fri May 17 19:53:38 UTC 2019 

from the mailing list discussion (linked above by @racb), this response
from an upstream sudo developer Todd C. Miller:

On Thu, 16 May 2019 07:48:40 -0400, Dan Streetman wrote:

> I've cc'ed sudo-users, so the question to the upstream sudo list can
> be summarized as:
> How likely would it be for upstream sudo to add HOME to env_keep by default?

Extremely unlikely.  Prior to sudo 1.7.4 the HOME and MAIL environment
variables were preserved in the environment by default.  This can
lead to programs using config files the original user's home
directory, which has security implications, so the default was
changed in 1.7.4.

In the old days, sudo did little more than change the uid.  These
days sudo tries to run the command in an environment that closely
matches what you would get by logging in as that user.  This has
proven to be safer as it more closely matches the assumptions other
programs make.

> We ask because Ubuntu carries a patch that adds HOME to env_keep,
> unlike the default upstream, or any other Linux/Unix.  We are
> considering removing that patch, to match upstream defaults, of *not*
> including HOME in env_keep.

I would be supportive of that.  I believe that resetting HOME is
the safer default.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1556302

Title:
  Ubuntu patch to add HOME to env_keep makes custom commands vulnerable
  by default

Status in sudo package in Ubuntu:
  Confirmed

Bug description:
  I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config:
  Defaults env_reset
  source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py

  This results in a highly insecure Python environment because the
  source user can set HOME and override any Python package by putting
  files in $HOME/.local/lib/python*/site-packages/.

  This should be a safe configuration because the default behaviour (as
  specified in the man page) is that env_reset will replace HOME with
  the target user's home directory. The "env_reset" option even has
  special behaviour for bash which has its own potential environment
  vulnerabilities.

  However there is an Ubuntu-specific patch in the package
  (keep_home_by_default.patch) that makes sudo preserve HOME by default,
  which negates the correct behaviour of "env_reset". It should not be
  necessary to explicitly specify the "always_set_home" option in order
  to negate this patch.

  The patch should be removed and the default /etc/sudoers should
  explicitly add HOME to "env_keep" for the "allow admins to run any
  command as root" entries, to get the desired behaviour without
  creating security issues for other sudoers commands.

  
  Note: for quick reference to anyone coming to this bug, this behavior (of sudo keeping the calling user's $HOME) can be disabled by running 'sudo visudo' and adding this line:

  Defaults        always_set_home

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions

More information about the foundations-bugs mailing list