Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Release Notes for Ubuntu |
Incomplete
|
Undecided
|
Unassigned | ||
sudo (Ubuntu) |
Fix Released
|
Medium
|
Dan Streetman | ||
Xenial |
Invalid
|
Low
|
Unassigned | ||
Bionic |
Invalid
|
Low
|
Unassigned | ||
Cosmic |
Won't Fix
|
Low
|
Dan Streetman | ||
Disco |
Won't Fix
|
Low
|
Dan Streetman | ||
Eoan |
Fix Released
|
Medium
|
Dan Streetman |
Bug Description
[impact]
sudo does not set HOME to the target user's HOME
[test case]
ddstreet@thorin:~$ sudo printenv | grep HOME
HOME=/home/ddstreet
[regression potential]
this is a significant behavior change. As mentioned in comment 11 (and later, and other bugs duped to this, and the mailing list discussion, etc) users of Ubuntu so far have been used to running sudo with their own HOME set, not root's HOME. Therefore, it's inappropriate to change this behavior for existing releases; this should be changed starting in Eoan, and only the sudo and sudoers man pages changed in previous releases to indicate the actual behavior of sudo in those releases.
[other info]
Shortly after upstream changed the behavior, the patch to keep HOME as the calling (instead of target) user was added in bug 760140.
For quick reference to anyone coming to this bug, the pre-19.10 behavior (of sudo keeping the calling user's $HOME) can be disabled by running 'sudo visudo' and adding this line:
Defaults always_set_home
or, run sudo with the -H param.
--
original description:
--
I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_
This results in a highly insecure Python environment because the source user can set HOME and override any Python package by putting files in $HOME/.
This should be a safe configuration because the default behaviour (as specified in the man page) is that env_reset will replace HOME with the target user's home directory. The "env_reset" option even has special behaviour for bash which has its own potential environment vulnerabilities.
However there is an Ubuntu-specific patch in the package (keep_home_
The patch should be removed and the default /etc/sudoers should explicitly add HOME to "env_keep" for the "allow admins to run any command as root" entries, to get the desired behaviour without creating security issues for other sudoers commands.
summary: |
- Ubuntu patch to add HOME to env_keep makes Python commands vulnerable by + Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default |
information type: | Private Security → Public Security |
Changed in sudo (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
description: | updated |
tags: | added: patch |
description: | updated |
description: | updated |
Changed in sudo (Ubuntu Disco): | |
status: | In Progress → Won't Fix |
Changed in sudo (Ubuntu Cosmic): | |
status: | In Progress → Won't Fix |
Changed in sudo (Ubuntu Bionic): | |
assignee: | Dan Streetman (ddstreet) → nobody |
Changed in sudo (Ubuntu Xenial): | |
assignee: | Dan Streetman (ddstreet) → nobody |
Changed in ubuntu-release-notes: | |
status: | New → Confirmed |
Changed in ubuntu-release-notes: | |
status: | Confirmed → Fix Committed |
Changed in ubuntu-release-notes: | |
status: | Confirmed → Incomplete |
Changed in sudo (Ubuntu Xenial): | |
assignee: | nobody → lolo (lolo2020) |
Changed in sudo (Ubuntu Bionic): | |
assignee: | nobody → lolo (lolo2020) |
I can't find a way to make sudo execution of a bash script unsafe but there will be other commands that assume it is safe to read configuration or executable code from $HOME.