For additional clarification: As mentioned already, the Ubuntu patch diverges from upstream sudo.
Additionally, here what other Linux distros do: ddstreet@debian:~$ printenv | grep HOME HOME=/home/ddstreet ddstreet@debian:~$ sudo printenv | grep HOME HOME=/root [ddstreet@fedora-workstation ~]$ printenv | grep '^HOME' HOME=/home/ddstreet [ddstreet@fedora-workstation ~]$ sudo printenv | grep '^HOME' HOME=/root [ddstreet@fedora-server ~]$ printenv | grep '^HOME' HOME=/home/ddstreet [ddstreet@fedora-server ~]$ sudo printenv | grep '^HOME' HOME=/root [ddstreet@rhel-8 ~]$ printenv | grep HOME HOME=/home/ddstreet [ddstreet@rhel-8 ~]$ sudo printenv | grep HOME HOME=/root ddstreet@opensuse-15:~> printenv | grep HOME HOME=/home/ddstreet ddstreet@opensuse-15:~> sudo printenv | grep HOME HOME=/root ddstreet@sles-15:~> printenv | grep HOME HOME=/home/ddstreet ddstreet@sles-15:~> sudo printenv | grep HOME HOME=/root ddstreet@slackware:~$ printenv | grep HOME HOME=/home/ddstreet ddstreet@slackware:~$ sudo printenv | grep HOME HOME=/root And even other UNIXes: ddstreet@netbsd-8: $ printenv | grep HOME HOME=/home/ddstreet ddstreet@netbsd-8: $ sudo printenv | grep HOME HOME=/root ddstreet@freebsd-12: $ printenv | grep HOME HOME=/home/ddstreet ddstreet@freebsd-12: $ sudo printenv | grep HOME HOME=/root openbsd$ printenv | grep HOME HOME=/home/ddstreet openbsd$ sudo printenv | grep HOME HOME=/root We appear to be completely alone in adding HOME to env_keep by default. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1556302 Title: Ubuntu patch to add HOME to env_keep makes custom commands vulnerable by default Status in sudo package in Ubuntu: Confirmed Bug description: I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config: Defaults env_reset source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py This results in a highly insecure Python environment because the source user can set HOME and override any Python package by putting files in $HOME/.local/lib/python*/site-packages/. This should be a safe configuration because the default behaviour (as specified in the man page) is that env_reset will replace HOME with the target user's home directory. The "env_reset" option even has special behaviour for bash which has its own potential environment vulnerabilities. However there is an Ubuntu-specific patch in the package (keep_home_by_default.patch) that makes sudo preserve HOME by default, which negates the correct behaviour of "env_reset". It should not be necessary to explicitly specify the "always_set_home" option in order to negate this patch. The patch should be removed and the default /etc/sudoers should explicitly add HOME to "env_keep" for the "allow admins to run any command as root" entries, to get the desired behaviour without creating security issues for other sudoers commands. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1556302/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
