← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1556302] Re: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default

 

@vorlon has offered to sponsor this for eoan if/when he has time; once
that's updated I will upload fixes to the documentation (e.g. man pages)
for SRU releases.

** Changed in: sudo (Ubuntu Eoan)
       Status: Confirmed => In Progress

** Changed in: sudo (Ubuntu Eoan)
     Assignee: Ubuntu Security Team (ubuntu-security) => Dan Streetman (ddstreet)

** Also affects: sudo (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu Cosmic)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: sudo (Ubuntu Disco)
       Status: New => In Progress

** Changed in: sudo (Ubuntu Cosmic)
       Status: New => In Progress

** Changed in: sudo (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: sudo (Ubuntu Xenial)
       Status: New => In Progress

** Changed in: sudo (Ubuntu Disco)
     Assignee: (unassigned) => Dan Streetman (ddstreet)

** Changed in: sudo (Ubuntu Cosmic)
     Assignee: (unassigned) => Dan Streetman (ddstreet)

** Changed in: sudo (Ubuntu Bionic)
     Assignee: (unassigned) => Dan Streetman (ddstreet)

** Changed in: sudo (Ubuntu Xenial)
     Assignee: (unassigned) => Dan Streetman (ddstreet)

** Changed in: sudo (Ubuntu Disco)
   Importance: Undecided => Low

** Changed in: sudo (Ubuntu Cosmic)
   Importance: Undecided => Low

** Changed in: sudo (Ubuntu Bionic)
   Importance: Undecided => Low

** Changed in: sudo (Ubuntu Xenial)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1556302

Title:
  Ubuntu patch to add HOME to env_keep makes custom commands vulnerable
  by default

Status in sudo package in Ubuntu:
  In Progress
Status in sudo source package in Xenial:
  In Progress
Status in sudo source package in Bionic:
  In Progress
Status in sudo source package in Cosmic:
  In Progress
Status in sudo source package in Disco:
  In Progress
Status in sudo source package in Eoan:
  In Progress

Bug description:
  I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config:
  Defaults env_reset
  source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py

  This results in a highly insecure Python environment because the
  source user can set HOME and override any Python package by putting
  files in $HOME/.local/lib/python*/site-packages/.

  This should be a safe configuration because the default behaviour (as
  specified in the man page) is that env_reset will replace HOME with
  the target user's home directory. The "env_reset" option even has
  special behaviour for bash which has its own potential environment
  vulnerabilities.

  However there is an Ubuntu-specific patch in the package
  (keep_home_by_default.patch) that makes sudo preserve HOME by default,
  which negates the correct behaviour of "env_reset". It should not be
  necessary to explicitly specify the "always_set_home" option in order
  to negate this patch.

  The patch should be removed and the default /etc/sudoers should
  explicitly add HOME to "env_keep" for the "allow admins to run any
  command as root" entries, to get the desired behaviour without
  creating security issues for other sudoers commands.

  --------------------------------------------------------------------------

  Note: for quick reference to anyone coming to this bug, this behavior
  (of sudo keeping the calling user's $HOME) can be disabled by running
  'sudo visudo' and adding this line:

  Defaults        always_set_home

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions