Bug 145687 - sudo clobbers path
Summary: sudo clobbers path
Status: RESOLVED FIXED
Alias: None
Product: openSUSE 10.3
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Beta 1
Hardware: Other Other
: P5 - None : Critical (vote)
Target Milestone: ---
Assignee: Pavol Rusnak
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-25 22:53 UTC by Andreas Schwab
Modified: 2007-08-28 09:43 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schwab 2006-01-25 22:53:18 UTC 
sudo always resets PATH and HOME, no matter what you configure.  This makes it useless for daily work.
Comment 1 Marcus Meissner 2006-01-26 08:52:54 UTC 
cc secteam....
Comment 2 Ludwig Nussel 2006-01-26 10:30:59 UTC 
HOME can be preserved by removing always_set_home. PATH unfortunately is handled poorly by sudo. You either have no way to set it to a sane default (even with env_reset it gets preserved) or you always have the default without a way to override it. According to the manpage users in exempt_group should not be affected by the compiled in PATH, that doesn't seem to work though.
Comment 3 Andreas Schwab 2006-01-26 10:52:22 UTC 
This worked pretty fine in 10.0.  Currently sudo is completely useless.
Comment 4 Marian Jancar 2006-01-26 11:03:39 UTC 
PATH handling fixed. Use `Defaults:schwab !always_set_home, !env_reset', permitting this to everyone is security hole, see CVE-2005-2959, CVE-2005-4158, CVE-2006-0151.
Comment 5 Andreas Schwab 2006-01-26 11:05:56 UTC 
It's the only useful behaviour.
Comment 6 Andreas Schwab 2006-01-26 16:58:15 UTC 
Still does not work.

$ grep env_reset /etc/sudoers 
Defaults env_reset
Defaults>root !env_reset
$ type build
build is hashed (/suse/schwab/bin/build)
$ sudo build
sudo: build: command not found
Comment 7 Ludwig Nussel 2006-01-26 17:09:48 UTC 
PATH is handled poorly by sudo.

echo -e '#!/bin/sh\nexec /usr/bin/sudo env PATH=$PATH "$@"' > ~/bin/sudo
Comment 8 Andreas Schwab 2006-01-26 17:13:21 UTC 
10.0 regression.
Comment 9 Marian Jancar 2006-01-27 08:49:27 UTC 
fixed
Comment 10 Andreas Schwab 2007-08-11 08:37:57 UTC 
Why I'm not surprised that it broke again.
Comment 11 Pavol Rusnak 2007-08-14 09:19:48 UTC 
If PATH is added to env_keep variables and sudo is configured with --without-secure-path, PATH is not being reset.

If PATH is not present in env_keep variables, it is always reset to secure path specified with --with-secure-path= (currently set to %{_sbindir}:/bin:%{_bindir}:/sbin)

Ludwig: Should I add PATH to env_keep and configure --without-secure-path ?
Comment 12 Mike Fabian 2007-08-14 09:26:50 UTC 
This problem annoys me as well, there seems to be no way to get a
useful value of PATH with sudo now.
Comment 13 Cristian Rodriguez 2007-08-14 19:21:19 UTC 
Yes, it is very annoying.. how to revert to the old and working behaviuor ?
Comment 14 Pavol Rusnak 2007-08-15 11:10:15 UTC 
(In reply to comment #13 from Cristian Rodriguez)
> Yes, it is very annoying.. how to revert to the old and working behaviuor ?

What was the old and working behavior? Isn't it the first one I described in comment #11? If it is, the fix is simple, but I have to wait for secteam to advise.
Comment 15 Marcus Meissner 2007-08-15 15:01:46 UTC 
Ludwig is back on Monday, so some patience please.
Comment 16 Marcus Meissner 2007-08-20 08:38:50 UTC 
While Ludwig only showed up briefly today, he had the following statement
(I hope I have it correctly).

Allowing unprotected/unchecked PATH or other environment variables by
default makes holes into sudo, because there are then ways to break out
of the predefined applications, allowing the user to become root.


The various sudo security updates we did over the time were all "interesting" environment variables being passed, which could be used to do such an escape.

For local use, you can use env_keep I guess.
Comment 17 Mike Fabian 2007-08-20 12:52:16 UTC 
But even with env_keep it is not possible to keep PATH anymore
because sudo is now apparently built with

    “configure --with-secure-path=/usr/sbin:/bin:/usr/bin:/sbin”

see comment #11.
Comment 18 Ludwig Nussel 2007-08-23 09:17:01 UTC 
I'm confused, STABLE uses --without-secure-path but that change is not mentioned in the changelog. That results in env_keep working but the default path (if PATH is not in env_keep) now apparently is "/usr/bin:/bin" which of course is annoying. I'd suggest to change this hardcoded path to include at least {/usr,}/sbin. This way we can have PATH reset by default to a sane secure value while still beeing able to add PATH to env_keep, e.g.:

Defaults:joesix env_keep+="PATH"
Comment 19 Stefan Dirsch 2007-08-23 09:53:18 UTC 
Sounds fair to me.
Comment 20 Pavol Rusnak 2007-08-28 08:54:19 UTC 
I have just found out that eg. Debian uses --with-secure-path, but also uses --with-exempt=sudo, which causes that PATH for users in group sudo is not being reset to secure_path if PATH is in env_keep. We do not have group sudo, but maybe could use group wheel for this purpose.

Ludwig: which solution do you like more?

a) Comment#18
   - use --without-secure-path
   - change hardcoded secure_path to /usr/sbin:/bin:/usr/bin:/sbin
   * PATH will be kept if specified in env_keep for all users
   * PATH will be reset to secure_path if not in env_keep for all users

b) --with-exempt=wheel (more secure)
   - use --with-secure-path=/usr/sbin:/bin:/usr/bin:/sbin
   * PATH will be kept if user is in group wheel _AND_ PATH is present in env_keep
   * PATH will be reset if user is not in group wheel _OR_ PATH is not present in env_keep
Comment 21 Ludwig Nussel 2007-08-28 09:05:43 UTC 
IMO abusing any group for that purpose just increases confusion. I vote for a).
Comment 22 Pavol Rusnak 2007-08-28 09:43:44 UTC 
Package submitted to STABLE - a) variant.
Closing.