[Bug 1823202] Re: HOME points to something not owned by user in sudo

Ryan K. McKee ryan.k.mckee at gmail.com
Thu Apr 4 22:18:09 UTC 2019 

*** This bug is a duplicate of bug 889936 ***
    https://bugs.launchpad.net/bugs/889936

[17:16:23] <slacker_nl> CyberManifest: there are two other bugs that are
the same as yours, both can be found in
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/760140

[17:16:46] <slacker_nl> I personally believe that the decision of adding
this patch is wrong, please refer Bug #1373495. / I'm expecting the
documented behavior. Please refer Bug #889936

** This bug has been marked a duplicate of bug 1373495
   sudo shouldn't preserve caller's HOME environment variable by default

** This bug is no longer a duplicate of bug 1373495
   sudo shouldn't preserve caller's HOME environment variable by default

** This bug has been marked a duplicate of bug 889936
   sudo(8) incorrectly says HOME is reset if env_reset is set

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1823202

Title:
  HOME points to something not owned by user in sudo

Status in sudo package in Ubuntu:
  New
Status in zsh package in Ubuntu:
  New

Bug description:
  <CcxWrk> You shouldn't use interactive shell, or any program with
  executable configuration, while your HOME points to something not
  owned by your user. That's the big issue and it's with sudo, not zsh,
  not omz, not any other shell or application you launch. <CcxWrk> You
  can go shout "you are doing security wrong" at Ubuntu. Good luck.

  ╭─rkm at Khadas ~  
  ╰─➤  id rkm && getent passwd rkm
  uid=1001(rkm) gid=1001(rkm) groups=1001(rkm),0(root),4(adm),5(tty),6(disk),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),29(audio),30(dip),44(video),46(plugdev),50(staff),60(games),100(users),101(systemd-journal),104(input),108(netdev),112(bluetooth),113(lpadmin),121(pulse-access)
  rkm:x:1001:1001:Ryan McKee,,,,:/home/rkm:/usr/bin/zsh

  ╭─rkm at Khadas ~  
  ╰─➤  sudo /usr/bin/env                                                      1 ↵
  LC_MESSAGES=en_US.UTF-8
  LANG=en_US.UTF-8
  LANGUAGE=en_US.UTF-8
  TERM=xterm-256color
  XAUTHORITY=/home/rkm/.Xauthority
  COLORTERM=truecolor
  DISPLAY=:0.0
  PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
  HOME=/home/rkm
  LC_CTYPE=en_US.UTF-8
  LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
  MAIL=/var/mail/root
  LOGNAME=root
  USER=root
  USERNAME=root
  SHELL=/bin/bash
  SUDO_COMMAND=/usr/bin/env

  
  SUDO_USER=rkm
  SUDO_UID=1001
  SUDO_GID=1001
  ╭─rkm at Khadas ~  
  ╰─➤  

  <Eickmeyer> CyberManifest: sudo is a package. Also, once filed, add
  zsh to the bug since it could be a bug in zsh's package as well.

  <Eickmeyer> Not necessarily zsh itself, but the packaging.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: sudo 1.8.21p2-3ubuntu1
  Uname: Linux 4.9.40 aarch64
  ApportVersion: 2.20.9-0ubuntu7.6
  Architecture: arm64
  CurrentDesktop: XFCE
  Date: Thu Apr  4 11:07:42 2019
  SourcePackage: sudo
  UpgradeStatus: No upgrade log present (probably fresh install)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/README: parsed OK

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1823202/+subscriptions

More information about the foundations-bugs mailing list