On Fri, Jul 17, 2015 at 01:33:40PM +0200, Rhonda D'Vine wrote: > Hi! > > * Josh Triplett <j...@joshtriplett.org> [2011-04-05 06:08:21 CEST]: > > sudo clears the environment by default. In particular, this removes any > > proxy settings from the environment. Thus, out of the box, the user > > can't configure a proxy the normal way (such as by using the desktop > > environment's network proxy settings) and have it work for installing > > packages. > > Actually, allowing the user to set a proxy that the system doesn't know > about is a high security risk. One would be able to set up a dedicated > host which sends vulnerable packages for installations that the user > would be able to install then. All is needed a snapshot of the archive > a few days before a DSA got fixed and a user having sudo access just for > apt/aptitude could install the vulnerable package then to gain root > access.
I'm not suggesting that all sudo configurations should pass through the proxy environment variables; sudo configurations that offer a very limited set of commands should not. (Though it's difficult to create a sudo configuration that *only* allows installing packages and doesn't end up giving effective root equivalence.) With the default sudo configuration, if you're in group sudo, you can already "sudo -E" to preserve the environment; you can also run "sudo env ..." or just "sudo VAR=value ..." to set arbitrary environment variables. sudo allows users permitted to run "ALL" to do things like that, and by default group sudo can run ALL. Given that, I'm suggesting that the default configuration should also pass through a few more environment variables *for group sudo*. env_keep can be set on a per-group basis. In my sudoers configuration, I set the following: Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" Anyone modifying the sudoers configuration such that "sudo" is not root-equivalent (dropping the ability to run ALL) could easily drop that line. (They'd also want to be aware, though, that other mechanisms such as polkit also assume that sudo is root-equivalent.) Other environment variables I'd suggest adding to the whitelist: # This allows running arbitrary commands, but so does ALL, and it means # different sudoers have their choice of editor respected. Defaults:%sudo env_keep += "EDITOR" # Completely harmless preservation of a user preference. Defaults:%sudo env_keep += "GREP_COLOR" # While you shouldn't normally run git as root, you need to with etckeeper Defaults:%sudo env_keep += "GIT_AUTHOR_* GIT_COMMITTER_*" # Per-user preferences; root won't have sensible values for them. Defaults:%sudo env_keep += "EMAIL DEBEMAIL DEBFULLNAME" # "sudo scp" or "sudo rsync" should be able to use your SSH agent. Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" # Ditto for GPG agent Defaults:%sudo env_keep += "GPG_AGENT_INFO" -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
