← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #75152

[Bug 1450667] Re: timezone not cleared despite "env_keep -= TZ" in /etc/sudoers

  Thread PreviousDate PreviousThread Next 
Hello,

Thanks for reporting this issue. Since TZ is now evaluated as part of
the default env_check list, you need to specifically remove it from that
by using the following configuration:

Defaults        env_check-="TZ"

Since this is a configuration issue, I am closing this bug. Please feel
free to re-open it if the configuration change didn't resolve the issue.

Thanks!

** Changed in: sudo (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1450667

Title:
  timezone not cleared despite "env_keep -= TZ" in /etc/sudoers

Status in sudo package in Ubuntu:
  Invalid

Bug description:
  the sanity check of the TZ env variable implemented in
  1.8.9p5-1ubuntu1.1 to address CVE-2014-9680 apparently has the side
  effect of carrying forward the TZ variable despite explicit removal in
  /etc/sudoers. 1.8.9p5-1ubuntu1 does not exhibit this behavior.

  % fgrep env_ /etc/sudoers
  Defaults env_reset
  Defaults env_keep+="JAVA_HOME"
  Defaults env_keep+="SSH_AUTH_SOCK"
  Defaults env_keep-="TZ"

  with 1.8.9p5-1ubuntu1:
  % sudo sudo -V
  Sudo version 1.8.9p5
  Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-timedir=/var/lib/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux
  Sudoers policy plugin version 1.8.9p5
  Sudoers file grammar version 43

  Sudoers path: /etc/sudoers
  Authentication methods: 'pam'
  Syslog facility if syslog is being used for logging: authpriv
  Syslog priority to use when user authenticates successfully: notice
  Syslog priority to use when user authenticates unsuccessfully: alert
  Send mail if the user is not in sudoers
  Lecture user the first time they run sudo
  Require users to authenticate by default
  Root may run sudo
  Always set $HOME to the target user's home directory
  Allow some information gathering to give useful error messages
  Require fully-qualified hostnames in the sudoers file
  Visudo will honor the EDITOR environment variable
  Set the LOGNAME and USER environment variables
  Length at which to wrap log file lines (0 for no wrap): 80
  Authentication timestamp timeout: 60.0 minutes
  Password prompt timeout: 0.0 minutes
  Number of tries to enter a password: 3
  Umask to use or 0777 to use user's: 022
  Path to mail program: /usr/sbin/sendmail
  Flags for mail program: -t
  Address to send mail to: root
  Subject line for mail messages: *** SECURITY information for %h ***
  Incorrect password message: Sorry, try again.
  Path to authentication timestamp dir: /var/lib/sudo
  Default password prompt: [sudo] password for %p:
  Default user to run commands as: root
  Path to the editor for use by visudo: /usr/bin/editor
  When to require a password for 'list' pseudocommand: any
  When to require a password for 'verify' pseudocommand: all
  File descriptors >= 3 will be closed before executing a command
  Reset the environment to a default set of variables
  Environment variables to check for sanity:
   TERM
   LINGUAS
   LC_*
   LANGUAGE
   LANG
   COLORTERM
  Environment variables to remove:
   RUBYOPT
   RUBYLIB
   PYTHONUSERBASE
   PYTHONINSPECT
   PYTHONPATH
   PYTHONHOME
   TMPPREFIX
   ZDOTDIR
   READNULLCMD
   NULLCMD
   FPATH
   PERL5DB
   PERL5OPT
   PERL5LIB
   PERLLIB
   PERLIO_DEBUG
   JAVA_TOOL_OPTIONS
   SHELLOPTS
   GLOBIGNORE
   PS4
   BASH_ENV
   ENV
   TERMCAP
   TERMPATH
   TERMINFO_DIRS
   TERMINFO
   _RLD*
   LD_*
   PATH_LOCALE
   NLSPATH
   HOSTALIASES
   RES_OPTIONS
   LOCALDOMAIN
   CDPATH
   IFS
  Environment variables to preserve:
   SSH_AUTH_SOCK
   JAVA_HOME
   XAUTHORIZATION
   XAUTHORITY
   PS2
   PS1
   PATH
   LS_COLORS
   KRB5CCNAME
   HOSTNAME
   HOME
   DISPLAY
   COLORS
  Locale to use while parsing sudoers: C
  Directory in which to store input/output logs: /var/log/sudo-io
  File in which to store the input/output log: %{seq}
  Add an entry to the utmp/utmpx file when allocating a pty
  PAM service name to use
  PAM service name to use for login shells
  Create a new PAM session for the command to run in
  Maximum I/O log sequence number: 0

  Local IP address and netmask pairs:
   207.241.227.232/255.255.248.0
   fe80::225:90ff:fee4:aef0/ffff:ffff:ffff:ffff::
   fe80::225:90ff:fee4:aef0/ffff:ffff:ffff:ffff::

  Sudoers I/O plugin version 1.8.9p5

  % sudo env | fgrep TZ
  [no output]

  with sudo 1.8.9p5-1ubuntu1.1:
  % sudo sudo -V
  Sudo version 1.8.9p5
  Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --without-lecture --with-tty-tickets --disable-root-mailer --enable-admin-flag --with-sendmail=/usr/sbin/sendmail --with-timedir=/var/lib/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --with-selinux
  Sudoers policy plugin version 1.8.9p5
  Sudoers file grammar version 43

  Sudoers path: /etc/sudoers
  Authentication methods: 'pam'
  Syslog facility if syslog is being used for logging: authpriv
  Syslog priority to use when user authenticates successfully: notice
  Syslog priority to use when user authenticates unsuccessfully: alert
  Send mail if the user is not in sudoers
  Lecture user the first time they run sudo
  Require users to authenticate by default
  Root may run sudo
  Always set $HOME to the target user's home directory
  Allow some information gathering to give useful error messages
  Require fully-qualified hostnames in the sudoers file
  Visudo will honor the EDITOR environment variable
  Set the LOGNAME and USER environment variables
  Length at which to wrap log file lines (0 for no wrap): 80
  Authentication timestamp timeout: 60.0 minutes
  Password prompt timeout: 0.0 minutes
  Number of tries to enter a password: 3
  Umask to use or 0777 to use user's: 022
  Path to mail program: /usr/sbin/sendmail
  Flags for mail program: -t
  Address to send mail to: root
  Subject line for mail messages: *** SECURITY information for %h ***
  Incorrect password message: Sorry, try again.
  Path to authentication timestamp dir: /var/lib/sudo
  Default password prompt: [sudo] password for %p:
  Default user to run commands as: root
  Path to the editor for use by visudo: /usr/bin/editor
  When to require a password for 'list' pseudocommand: any
  When to require a password for 'verify' pseudocommand: all
  File descriptors >= 3 will be closed before executing a command
  Reset the environment to a default set of variables
  Environment variables to check for sanity:
   TZ
   TERM
   LINGUAS
   LC_*
   LANGUAGE
   LANG
   COLORTERM
  Environment variables to remove:
   RUBYOPT
   RUBYLIB
   PYTHONUSERBASE
   PYTHONINSPECT
   PYTHONPATH
   PYTHONHOME
   TMPPREFIX
   ZDOTDIR
   READNULLCMD
   NULLCMD
   FPATH
   PERL5DB
   PERL5OPT
   PERL5LIB
   PERLLIB
   PERLIO_DEBUG
   JAVA_TOOL_OPTIONS
   SHELLOPTS
   GLOBIGNORE
   PS4
   BASH_ENV
   ENV
   TERMCAP
   TERMPATH
   TERMINFO_DIRS
   TERMINFO
   _RLD*
   LD_*
   PATH_LOCALE
   NLSPATH
   HOSTALIASES
   RES_OPTIONS
   LOCALDOMAIN
   CDPATH
   IFS
  Environment variables to preserve:
   SSH_AUTH_SOCK
   JAVA_HOME
   XAUTHORIZATION
   XAUTHORITY
   PS2
   PS1
   PATH
   LS_COLORS
   KRB5CCNAME
   HOSTNAME
   HOME
   DISPLAY
   COLORS
  Locale to use while parsing sudoers: C
  Directory in which to store input/output logs: /var/log/sudo-io
  File in which to store the input/output log: %{seq}
  Add an entry to the utmp/utmpx file when allocating a pty
  PAM service name to use
  PAM service name to use for login shells
  Create a new PAM session for the command to run in
  Maximum I/O log sequence number: 0

  Local IP address and netmask pairs:
   207.241.227.232/255.255.248.0
   fe80::225:90ff:fee4:aef0/ffff:ffff:ffff:ffff::
   fe80::225:90ff:fee4:aef0/ffff:ffff:ffff:ffff::

  Sudoers I/O plugin version 1.8.9p5

  % sudo env | fgrep TZ
  TZ=America/Los_Angeles

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: sudo 1.8.9p5-1ubuntu1.1
  ProcVersionSignature: Ubuntu 3.13.0-49.83-generic 3.13.11-ckt17
  Uname: Linux 3.13.0-49-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.10
  Architecture: amd64
  Date: Thu Apr 30 15:53:59 2015
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/usr/bin/zsh
  SourcePackage: sudo
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.sudoers: [modified]
  mtime.conffile..etc.sudoers: 2015-04-30T15:26:42.293612

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1450667/+subscriptions

References

  Thread PreviousDate PreviousThread Next