touch-packages team mailing list archive

Thread
Date

[Bug 1373495] [NEW] sudo shouldn't preserve HOME environment variable by default

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Ｖ字龍(Vdragon) <Vdragon.Taiwan@xxxxxxxxx>
Date: Wed, 24 Sep 2014 16:29:00 -0000
Reply-to: Bug 1373495 <1373495@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently Ubuntu hard-coded sudo to preserve HOME environment variable
to point to sudo caller's home directory by default(refer bug #760140)
however this is dangerous and error-prone because the program run by
root may write files (e.g. $HOME/.Xauthority , program config files)
into the HOME directory **AS ROOT** which, will cause issue when users
run the same program as themselves and even make the user failed to
login(due to .Xauthority file owner is incorrect)

In my opinion the Ubuntu patch that make $HOME variable keep in sudo is
INSANE and should be reverted(Ubuntu should use the safest configuration
by default), any user wish to run command as root using their HOME
directory should set env_keep in /etc/sudoers themselves and
acknowledging the consequences.

RootSudo - Community Help
Wiki(https://help.ubuntu.com/community/RootSudo ) wrongly tells that
graphical application shouldn't be launch by sudo, but in fact the real
issue is in this bug.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: sudo 1.8.9p5-1ubuntu1
ProcVersionSignature: Ubuntu 3.16.0-17.23-lowlatency 3.16.3
Uname: Linux 3.16.0-17-lowlatency i686
ApportVersion: 2.14.1-0ubuntu3.4
Architecture: i386
CurrentDesktop: KDE
Date: Thu Sep 25 00:08:44 2014
InstallationDate: Installed on 2013-03-08 (564 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release i386 (20121017.2)
SourcePackage: sudo
UpgradeStatus: Upgraded to trusty on 2014-04-19 (158 days ago)
VisudoCheck:
 /etc/sudoers: parsed OK
 /etc/sudoers.d/Preserve_input_method_required_environmental_variables: parsed OK
 /etc/sudoers.d/README: parsed OK
modified.conffile..etc.sudoers.d.README: [modified]
mtime.conffile..etc.sudoers.d.README: 2014-09-24T22:26:35.734703

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug i386 trusty

** Description changed:

  Currently Ubuntu hard-coded preserve HOME environment variable to point
  to sudo caller's home directory by default(refer bug #760140) however
  this is dangerous and error-prone because the program run by root may
  write files (e.g. $HOME/.Xauthority , program config files) into the
  HOME directory **AS ROOT** which, will cause issue when user run the
  same program using it's account and even make the user failed to
  login(due to .Xauthority file owner is incorrect)
  
  In my opinion the Ubuntu patch that make $HOME variable keep in sudo is
  INSANE and should be reverted(Ubuntu should use the safest configuration
  by default), any user wish to run command as root using their HOME
  directory should set env_keep in  /etc/sudoers themselves and
  acknowledging the consequences.
  
  RootSudo - Community Help
- Wiki(https://help.ubuntu.com/community/RootSudo ) wrongly tell that
+ Wiki(https://help.ubuntu.com/community/RootSudo ) wrongly tells that
  graphical application shouldn't launch by sudo, but in fact the real
  issue is in this bug.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: sudo 1.8.9p5-1ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-17.23-lowlatency 3.16.3
  Uname: Linux 3.16.0-17-lowlatency i686
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: i386
  CurrentDesktop: KDE
  Date: Thu Sep 25 00:08:44 2014
  InstallationDate: Installed on 2013-03-08 (564 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release i386 (20121017.2)
  SourcePackage: sudo
  UpgradeStatus: Upgraded to trusty on 2014-04-19 (158 days ago)
  VisudoCheck:
-  /etc/sudoers: parsed OK
-  /etc/sudoers.d/Preserve_input_method_required_environmental_variables: parsed OK
-  /etc/sudoers.d/README: parsed OK
+  /etc/sudoers: parsed OK
+  /etc/sudoers.d/Preserve_input_method_required_environmental_variables: parsed OK
+  /etc/sudoers.d/README: parsed OK
  modified.conffile..etc.sudoers.d.README: [modified]
  mtime.conffile..etc.sudoers.d.README: 2014-09-24T22:26:35.734703

** Description changed:

- Currently Ubuntu hard-coded preserve HOME environment variable to point
- to sudo caller's home directory by default(refer bug #760140) however
- this is dangerous and error-prone because the program run by root may
- write files (e.g. $HOME/.Xauthority , program config files) into the
- HOME directory **AS ROOT** which, will cause issue when user run the
- same program using it's account and even make the user failed to
+ Currently Ubuntu hard-coded sudo to preserve HOME environment variable
+ to point to sudo caller's home directory by default(refer bug #760140)
+ however this is dangerous and error-prone because the program run by
+ root may write files (e.g. $HOME/.Xauthority , program config files)
+ into the HOME directory **AS ROOT** which, will cause issue when users
+ run the same program as themselves and even make the user failed to
  login(due to .Xauthority file owner is incorrect)
  
  In my opinion the Ubuntu patch that make $HOME variable keep in sudo is
  INSANE and should be reverted(Ubuntu should use the safest configuration
  by default), any user wish to run command as root using their HOME
- directory should set env_keep in  /etc/sudoers themselves and
+ directory should set env_keep in /etc/sudoers themselves and
  acknowledging the consequences.
  
  RootSudo - Community Help
  Wiki(https://help.ubuntu.com/community/RootSudo ) wrongly tells that
- graphical application shouldn't launch by sudo, but in fact the real
+ graphical application shouldn't be launch by sudo, but in fact the real
  issue is in this bug.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: sudo 1.8.9p5-1ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-17.23-lowlatency 3.16.3
  Uname: Linux 3.16.0-17-lowlatency i686
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: i386
  CurrentDesktop: KDE
  Date: Thu Sep 25 00:08:44 2014
  InstallationDate: Installed on 2013-03-08 (564 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release i386 (20121017.2)
  SourcePackage: sudo
  UpgradeStatus: Upgraded to trusty on 2014-04-19 (158 days ago)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/Preserve_input_method_required_environmental_variables: parsed OK
   /etc/sudoers.d/README: parsed OK
  modified.conffile..etc.sudoers.d.README: [modified]
  mtime.conffile..etc.sudoers.d.README: 2014-09-24T22:26:35.734703

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1373495

Title:
  sudo shouldn't preserve HOME environment variable by default

Status in “sudo” package in Ubuntu:
  New

Bug description:
  Currently Ubuntu hard-coded sudo to preserve HOME environment variable
  to point to sudo caller's home directory by default(refer bug #760140)
  however this is dangerous and error-prone because the program run by
  root may write files (e.g. $HOME/.Xauthority , program config files)
  into the HOME directory **AS ROOT** which, will cause issue when users
  run the same program as themselves and even make the user failed to
  login(due to .Xauthority file owner is incorrect)

  In my opinion the Ubuntu patch that make $HOME variable keep in sudo
  is INSANE and should be reverted(Ubuntu should use the safest
  configuration by default), any user wish to run command as root using
  their HOME directory should set env_keep in /etc/sudoers themselves
  and acknowledging the consequences.

  RootSudo - Community Help
  Wiki(https://help.ubuntu.com/community/RootSudo ) wrongly tells that
  graphical application shouldn't be launch by sudo, but in fact the
  real issue is in this bug.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: sudo 1.8.9p5-1ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-17.23-lowlatency 3.16.3
  Uname: Linux 3.16.0-17-lowlatency i686
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: i386
  CurrentDesktop: KDE
  Date: Thu Sep 25 00:08:44 2014
  InstallationDate: Installed on 2013-03-08 (564 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release i386 (20121017.2)
  SourcePackage: sudo
  UpgradeStatus: Upgraded to trusty on 2014-04-19 (158 days ago)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/Preserve_input_method_required_environmental_variables: parsed OK
   /etc/sudoers.d/README: parsed OK
  modified.conffile..etc.sudoers.d.README: [modified]
  mtime.conffile..etc.sudoers.d.README: 2014-09-24T22:26:35.734703

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1373495/+subscriptions

Follow ups

[Bug 1373495] Re: sudo shouldn't preserve caller's HOME environment variable by default
From: Vdragon, 2014-09-25
[Bug 1373495] Re: sudo shouldn't preserve caller's HOME environment variable by default
From: Launchpad Bug Tracker, 2014-09-25
[Bug 1373495] Re: sudo shouldn't preserve caller's HOME environment variable by default
From: Vdragon, 2014-09-24
[Bug 1373495] Re: sudo shouldn't preserve caller's HOME environment variable by default
From: Vdragon, 2014-09-24
[Bug 1373495] Re: sudo shouldn't preserve caller's HOME environment variable by default
From: Vdragon, 2014-09-24
[Bug 1373495] Re: sudo shouldn't preserve HOME environment variable by default
From: Vdragon, 2014-09-24
[Bug 1373495] [NEW] sudo shouldn't preserve HOME environment variable by default
From: Vdragon, 2014-09-24

References

[Bug 1373495] [NEW] sudo shouldn't preserve HOME environment variable by default
From: Vdragon, 2014-09-24