← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #20680

[Bug 1373495] Re: sudo shouldn't preserve caller's HOME environment variable by default

  Thread PreviousDate PreviousThread Next 
** Description changed:

  Currently Ubuntu hard-coded sudo to preserve HOME environment variable
  to point to sudo caller's home directory by default(refer bug #760140)
  however this is dangerous and error-prone because the program run by
  root may write files (e.g. $HOME/.Xauthority , program config files)
- into the HOME directory **AS ROOT** which, will cause issue when users
- run the same program as themselves and even make the user failed to
- login(due to .Xauthority file owner is incorrect)
+ into caller's HOME directory **AS ROOT** which, will cause issue when
+ users run the same program as their normal users' account again and even
+ make the user failed to login(due to .Xauthority file owner is
+ incorrect)
  
  In my opinion the Ubuntu patch(keep_home_by_default.patch) that make
  $HOME variable keep in sudo is INSANE and should be reverted(Ubuntu
  should use the safest configuration to general users by default), any
  user wish to run command as root using their HOME directory should set
  env_keep in /etc/sudoers themselves and acknowledging the consequences.
  
  RootSudo - Community Help
  Wiki(https://help.ubuntu.com/community/RootSudo ) wrongly tells that
  graphical application shouldn't be launch by sudo, but in fact the real
  issue falls into this bug.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: sudo 1.8.9p5-1ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-17.23-lowlatency 3.16.3
  Uname: Linux 3.16.0-17-lowlatency i686
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: i386
  CurrentDesktop: KDE
  Date: Thu Sep 25 00:08:44 2014
  InstallationDate: Installed on 2013-03-08 (564 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release i386 (20121017.2)
  SourcePackage: sudo
  UpgradeStatus: Upgraded to trusty on 2014-04-19 (158 days ago)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/Preserve_input_method_required_environmental_variables: parsed OK
   /etc/sudoers.d/README: parsed OK
  modified.conffile..etc.sudoers.d.README: [modified]
  mtime.conffile..etc.sudoers.d.README: 2014-09-24T22:26:35.734703

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1373495

Title:
  sudo shouldn't preserve caller's HOME environment variable by default

Status in “sudo” package in Ubuntu:
  Confirmed

Bug description:
  Currently Ubuntu hard-coded sudo to preserve HOME environment variable
  to point to sudo caller's home directory by default(refer bug #760140)
  however this is dangerous and error-prone because the program run by
  root may write files (e.g. $HOME/.Xauthority , program config files)
  into caller's HOME directory **AS ROOT** which, will cause issue when
  users run the same program as their normal users' account again and
  even make the user failed to login(due to .Xauthority file owner is
  incorrect)

  In my opinion the Ubuntu patch(keep_home_by_default.patch) that make
  $HOME variable keep in sudo is INSANE and should be reverted(Ubuntu
  should use the safest configuration to general users by default), any
  user wish to run command as root using their HOME directory should set
  env_keep in /etc/sudoers themselves and acknowledging the
  consequences.

  RootSudo - Community Help
  Wiki(https://help.ubuntu.com/community/RootSudo ) wrongly tells that
  graphical application shouldn't be launch by sudo, but in fact the
  real issue falls into this bug.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: sudo 1.8.9p5-1ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-17.23-lowlatency 3.16.3
  Uname: Linux 3.16.0-17-lowlatency i686
  ApportVersion: 2.14.1-0ubuntu3.4
  Architecture: i386
  CurrentDesktop: KDE
  Date: Thu Sep 25 00:08:44 2014
  InstallationDate: Installed on 2013-03-08 (564 days ago)
  InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release i386 (20121017.2)
  SourcePackage: sudo
  UpgradeStatus: Upgraded to trusty on 2014-04-19 (158 days ago)
  VisudoCheck:
   /etc/sudoers: parsed OK
   /etc/sudoers.d/Preserve_input_method_required_environmental_variables: parsed OK
   /etc/sudoers.d/README: parsed OK
  modified.conffile..etc.sudoers.d.README: [modified]
  mtime.conffile..etc.sudoers.d.README: 2014-09-24T22:26:35.734703

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1373495/+subscriptions

References

  Thread PreviousDate PreviousThread Next