group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #30694
[Bug 1556302] Re: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default
@vorlon has offered to sponsor this for eoan if/when he has time; once
that's updated I will upload fixes to the documentation (e.g. man pages)
for SRU releases.
** Changed in: sudo (Ubuntu Eoan)
Status: Confirmed => In Progress
** Changed in: sudo (Ubuntu Eoan)
Assignee: Ubuntu Security Team (ubuntu-security) => Dan Streetman (ddstreet)
** Also affects: sudo (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: sudo (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: sudo (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: sudo (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: sudo (Ubuntu Disco)
Status: New => In Progress
** Changed in: sudo (Ubuntu Cosmic)
Status: New => In Progress
** Changed in: sudo (Ubuntu Bionic)
Status: New => In Progress
** Changed in: sudo (Ubuntu Xenial)
Status: New => In Progress
** Changed in: sudo (Ubuntu Disco)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: sudo (Ubuntu Cosmic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: sudo (Ubuntu Bionic)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: sudo (Ubuntu Xenial)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: sudo (Ubuntu Disco)
Importance: Undecided => Low
** Changed in: sudo (Ubuntu Cosmic)
Importance: Undecided => Low
** Changed in: sudo (Ubuntu Bionic)
Importance: Undecided => Low
** Changed in: sudo (Ubuntu Xenial)
Importance: Undecided => Low
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1556302
Title:
Ubuntu patch to add HOME to env_keep makes custom commands vulnerable
by default
Status in sudo package in Ubuntu:
In Progress
Status in sudo source package in Xenial:
In Progress
Status in sudo source package in Bionic:
In Progress
Status in sudo source package in Cosmic:
In Progress
Status in sudo source package in Disco:
In Progress
Status in sudo source package in Eoan:
In Progress
Bug description:
I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py
This results in a highly insecure Python environment because the
source user can set HOME and override any Python package by putting
files in $HOME/.local/lib/python*/site-packages/.
This should be a safe configuration because the default behaviour (as
specified in the man page) is that env_reset will replace HOME with
the target user's home directory. The "env_reset" option even has
special behaviour for bash which has its own potential environment
vulnerabilities.
However there is an Ubuntu-specific patch in the package
(keep_home_by_default.patch) that makes sudo preserve HOME by default,
which negates the correct behaviour of "env_reset". It should not be
necessary to explicitly specify the "always_set_home" option in order
to negate this patch.
The patch should be removed and the default /etc/sudoers should
explicitly add HOME to "env_keep" for the "allow admins to run any
command as root" entries, to get the desired behaviour without
creating security issues for other sudoers commands.
--------------------------------------------------------------------------
Note: for quick reference to anyone coming to this bug, this behavior
(of sudo keeping the calling user's $HOME) can be disabled by running
'sudo visudo' and adding this line:
Defaults always_set_home
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions
