From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 21 Jul 2010 13:49:27 +0000 (-0400)
Subject: Add commented out line to add HOME to env_keep and add a warning
X-Git-Tag: SUDO_1_7_4~45
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=79875c3f2b7722e243dbba7d5b037a155d70cdfb;p=sudo

Add commented out line to add HOME to env_keep and add a warning
to the note about the HOME change in UPGRADE.

--HG--
branch : 1.7
---

diff --git a/UPGRADE b/UPGRADE
index 8f98d2f70..b4ffa7a73 100644
--- a/UPGRADE
+++ b/UPGRADE
@@ -25,6 +25,10 @@ o Upgrading from a version prior to 1.7.4:
         Defaults env_keep += MAIL
     to preserve the old value of MAIL.
 
+    NOTE: preserving HOME has security implications since many programs
+    use when searching for configuration files.  Adding HOME to env_keep
+    may enable a user to run unrestricted commands via sudo.
+
 o Upgrading from a version prior to 1.7.0:
 
     Starting with sudo 1.7.0, comments in the sudoers file must not
diff --git a/sudoers b/sudoers
index 01d127f66..183649f94 100644
--- a/sudoers
+++ b/sudoers
@@ -37,6 +37,11 @@
 ## Locale settings
 # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
 ##
+## Run X applications through sudo; HOME is used to find the
+## .Xauthority file.  Note that other programs use HOME to find   
+## configuration files and this may lead to privilege escalation!
+# Defaults env_keep += "HOME"
+##
 ## X11 resource path settings
 # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
 ##
diff --git a/sudoers.pod b/sudoers.pod
index 1a5ab483b..7e1c1737b 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -1365,10 +1365,10 @@ Below are example I<sudoers> entries.  Admittedly, some of
 these are a bit contrived.  First, we allow a few environment
 variables to pass and then define our I<aliases>:
 
- # Run X applications through sudo; HOME is used to find .Xauthority file
- # Note that some programs may use HOME for other purposes too and
- # this may lead to privilege escalation!
- Defaults env_keep = "DISPLAY HOME"
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file.  Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
 
  # User alias specification
  User_Alias	FULLTIMERS = millert, mikef, dowdy