[Bug 1556302] Re: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default
Dan Streetman
dan.streetman at canonical.com
Tue May 14 16:35:18 UTC 2019
Further, this behavior causes root-owned files and directories in a
user's home directory, e.g.:
ubuntu at lp1556302:~$ ls -l /home/ubuntu/.vim*
ls: cannot access '/home/ubuntu/.vim*': No such file or directory
ubuntu at lp1556302:~$ sudo vim /tmp/test
ubuntu at lp1556302:~$ ls -l /home/ubuntu/.vim*
-rw------- 1 root root 700 May 14 16:31 /home/ubuntu/.viminfo
ubuntu at lp1556302:~$ ls -ld /home/ubuntu/.emacs*
ls: cannot access '/home/ubuntu/.emacs*': No such file or directory
ubuntu at lp1556302:~$ sudo emacs /tmp/test
ubuntu at lp1556302:~$ ls -ld /home/ubuntu/.emacs*
drwx------ 2 root root 4096 May 14 16:32 /home/ubuntu/.emacs.d
bug 1828208
and so on. This problem is true for *any* program/application that
creates any files in $HOME, and might be run under sudo.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands vulnerable
by default
Status in sudo package in Ubuntu:
Confirmed
Bug description:
I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py
This results in a highly insecure Python environment because the
source user can set HOME and override any Python package by putting
files in $HOME/.local/lib/python*/site-packages/.
This should be a safe configuration because the default behaviour (as
specified in the man page) is that env_reset will replace HOME with
the target user's home directory. The "env_reset" option even has
special behaviour for bash which has its own potential environment
vulnerabilities.
However there is an Ubuntu-specific patch in the package
(keep_home_by_default.patch) that makes sudo preserve HOME by default,
which negates the correct behaviour of "env_reset". It should not be
necessary to explicitly specify the "always_set_home" option in order
to negate this patch.
The patch should be removed and the default /etc/sudoers should
explicitly add HOME to "env_keep" for the "allow admins to run any
command as root" entries, to get the desired behaviour without
creating security issues for other sudoers commands.
Note: for quick reference to anyone coming to this bug, this behavior (of sudo keeping the calling user's $HOME) can be disabled by running 'sudo visudo' and adding this line:
Defaults always_set_home
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions
More information about the foundations-bugs
mailing list