From: Todd C. Miller Date: Mon, 19 Jul 2010 19:08:04 +0000 (-0400) Subject: Reset HOME when env_reset is enabled unless it is in env_keep X-Git-Tag: SUDO_1_7_4~53 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=876d69c6992d71ffadaae60435b57fc7d47858d4;p=sudo Reset HOME when env_reset is enabled unless it is in env_keep --HG-- branch : 1.7 --- diff --git a/UPGRADE b/UPGRADE index 3e049d226..cde28f2a8 100644 --- a/UPGRADE +++ b/UPGRADE @@ -10,6 +10,15 @@ o Upgrading from a version prior to 1.7.4: system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this. + The HOME and MAIL environment variables are now reset based on the + target user's password database entry when the env_reset sudoers option + is enabled (which is the case in the default configuration). Users + wishing to preserve the original values should use a sudoers entry like: + Defaults env_keep += HOME + to preserve the old value of HOME and + Defaults env_keep += MAIL + to preserve the old value of MAIL. + o Upgrading from a version prior to 1.7.0: Starting with sudo 1.7.0, comments in the sudoers file must not diff --git a/WHATSNEW b/WHATSNEW index 2894f70ea..607b070d4 100644 --- a/WHATSNEW +++ b/WHATSNEW @@ -34,9 +34,14 @@ What's new in Sudo 1.7.4? more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX) will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1). - * If env_reset is enabled in sudoers (the default), sudo will now set - the MAIL environment variable based on the target user unless MAIL is - explicitly preserved in sudoers. Previously MAIL was passed unchanged. + * The HOME and MAIL environment variables are now reset based on the + target user's password database entry when the env_reset sudoers option + is enabled (which is the case in the default configuration). Users + wishing to preserve the original values should use a sudoers entry like: + Defaults env_keep += HOME + to preserve the old value of HOME and + Defaults env_keep += MAIL + to preserve the old value of MAIL. What's new in Sudo 1.7.3? diff --git a/env.c b/env.c index 6ad32992f..c6e0a6b43 100644 --- a/env.c +++ b/env.c @@ -196,7 +196,6 @@ static const char *initial_checkenv_table[] = { static const char *initial_keepenv_table[] = { "COLORS", "DISPLAY", - "HOME", "HOSTNAME", "KRB5CCNAME", "LS_COLORS", @@ -595,6 +594,7 @@ rebuild_env(noexec) char **old_envp, **ep, *cp, *ps1; char idbuf[MAX_UID_T_LEN]; unsigned int didvar; + int reset_home = FALSE; /* * Either clean out the environment or reset to a safe default. @@ -609,6 +609,9 @@ rebuild_env(noexec) memset(env.envp, 0, env.env_size * sizeof(char *)); #endif if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) { + /* Reset HOME based on target user unless keeping old value. */ + reset_home = TRUE; + /* Pull in vars we want to keep from the old environment. */ for (ep = old_envp; *ep; ep++) { int keepit; @@ -677,7 +680,6 @@ rebuild_env(noexec) * on sudoers options). */ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { - sudo_setenv("HOME", runas_pw->pw_dir, ISSET(didvar, DID_HOME)); sudo_setenv("SHELL", runas_pw->pw_shell, ISSET(didvar, DID_SHELL)); sudo_setenv("LOGNAME", runas_pw->pw_name, ISSET(didvar, DID_LOGNAME)); @@ -685,8 +687,6 @@ rebuild_env(noexec) sudo_setenv("USERNAME", runas_pw->pw_name, ISSET(didvar, DID_USERNAME)); } else { - if (!ISSET(didvar, DID_HOME)) - sudo_setenv("HOME", user_dir, FALSE); if (!ISSET(didvar, DID_SHELL)) sudo_setenv("SHELL", sudo_user.pw->pw_shell, FALSE); if (!ISSET(didvar, DID_LOGNAME)) @@ -709,6 +709,13 @@ rebuild_env(noexec) sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE); } } else { + /* Reset HOME based on target user if configured to. */ + if (ISSET(sudo_mode, MODE_RUN)) { + if (def_always_set_home || ISSET(sudo_mode, MODE_RESET_HOME) || + (ISSET(sudo_mode, MODE_SHELL) && def_set_home)) + reset_home = TRUE; + } + /* * Copy environ entries as long as they don't match env_delete or * env_check. @@ -748,8 +755,7 @@ rebuild_env(noexec) } /* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */ - /* XXX - not needed for MODE_LOGIN_SHELL */ - if (def_set_logname && runas_pw->pw_name) { + if (def_set_logname && !ISSET(sudo_mode, MODE_LOGIN_SHELL)) { if (!ISSET(didvar, KEPT_LOGNAME)) sudo_setenv("LOGNAME", runas_pw->pw_name, TRUE); if (!ISSET(didvar, KEPT_USER)) @@ -758,14 +764,9 @@ rebuild_env(noexec) sudo_setenv("USERNAME", runas_pw->pw_name, TRUE); } - /* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */ - /* XXX - not needed for MODE_LOGIN_SHELL */ - if (runas_pw->pw_dir) { - if (ISSET(sudo_mode, MODE_RESET_HOME) || - (ISSET(sudo_mode, MODE_RUN) && (def_always_set_home || - (ISSET(sudo_mode, MODE_SHELL) && def_set_home)))) - sudo_setenv("HOME", runas_pw->pw_dir, TRUE); - } + /* Set $HOME to target user if not preserving user's value. */ + if (reset_home && !ISSET(didvar, KEPT_HOME)) + sudo_setenv("HOME", runas_pw->pw_dir, ISSET(didvar, DID_HOME)); /* Provide default values for $TERM and $PATH if they are not set. */ if (!ISSET(didvar, DID_TERM)) diff --git a/sudo.cat b/sudo.cat index b9c6a0c88..97bc6b356 100644 --- a/sudo.cat +++ b/sudo.cat @@ -179,17 +179,17 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -H The --HH (_H_O_M_E) option sets the HOME environment variable to the homedir of the target user (root by default) as - specified in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify - HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)). + specified in _p_a_s_s_w_d(4). The default handling of the HOME + environment variable depends on _s_u_d_o_e_r_s(4) settings. By + default, ssuuddoo will set HOME if _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e + are set, or if _s_e_t___h_o_m_e is set and the --ss option is + specified on the command line. -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message and exit. -i [command] The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell - specified in the _p_a_s_s_w_d(4) entry of the target user as a - login shell. This means that login-specific resource files - such as .profile or .login will be read by the shell. If a @@ -202,6 +202,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + specified in the _p_a_s_s_w_d(4) entry of the target user as a + login shell. This means that login-specific resource files + such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. ssuuddoo attempts to change to that user's home directory @@ -253,9 +256,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve the invoking user's group vector unaltered. By - default, ssuuddoo will initialize the group vector to the list - of groups the target user is in. The real and effective - group IDs, however, are still set to match the target user. @@ -268,6 +268,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + default, ssuuddoo will initialize the group vector to the list + of groups the target user is in. The real and effective + group IDs, however, are still set to match the target user. + -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default password prompt and use a custom one. The following percent (`%') escapes are supported: @@ -318,10 +322,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) listed. Only root or a user with ssuuddoo ALL on the current host may use this option. - -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified - command as a user other than _r_o_o_t. To specify a _u_i_d - instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as - a _u_i_d, many shells require that the '#' be escaped with a @@ -334,6 +334,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + -u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified + command as a user other than _r_o_o_t. To specify a _u_i_d + instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as + a _u_i_d, many shells require that the '#' be escaped with a backslash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands with a uid not listed in the password database. @@ -384,10 +388,6 @@ SSEECCUURRIITTYY NNOOTTEESS default, the _e_n_v___r_e_s_e_t _s_u_d_o_e_r_s option is enabled. This causes commands to be executed with a minimal environment containing TERM, PATH, HOME, SHELL, LOGNAME, USER and USERNAME in addition to variables from the - invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p _s_u_d_o_e_r_s - options. There is effectively a whitelist for environment variables. - - If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables @@ -400,6 +400,10 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p _s_u_d_o_e_r_s + options. There is effectively a whitelist for environment variables. + + If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e behave like a blacklist. Since it is not possible to @@ -451,10 +455,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) On systems where the boot time is available, ssuuddoo will also not honor time stamps from before the machine booted. - Since time stamp files live in the file system, they can outlive a - user's login session. As a result, a user may be able to login, run a - command with ssuuddoo after authenticating, logout, login again, and run - 1.7.4 July 19, 2010 7 @@ -466,6 +466,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + Since time stamp files live in the file system, they can outlive a + user's login session. As a result, a user may be able to login, run a + command with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without authenticating so long as the time stamp file's modification time is within 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled in _s_u_d_o_e_r_s, the @@ -497,9 +500,10 @@ EENNVVIIRROONNMMEENNTT MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set to the mail spool of the target user - HOME In --ss or --HH mode (or if sudo was configured with the - --enable-shell-sets-home option), set to homedir of the - target user + HOME Set to the home directory of the target user if --ii or + --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set + in _s_u_d_o_e_r_s, or when the --ss optino is specified and + _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option is set. @@ -516,10 +520,6 @@ EENNVVIIRROONNMMEENNTT SUDO_GID Set to the group ID of the user who invoked sudo - SUDO_PROMPT Used as the default password prompt - - SUDO_PS1 If set, PS1 will be set to its value for the program - being run @@ -532,6 +532,11 @@ EENNVVIIRROONNMMEENNTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + SUDO_PROMPT Used as the default password prompt + + SUDO_PS1 If set, PS1 will be set to its value for the program + being run + SUDO_UID Set to the user ID of the user who invoked sudo SUDO_USER Set to the login of the user who invoked sudo @@ -582,11 +587,6 @@ EEXXAAMMPPLLEESS Note that this runs the commands in a sub-shell to make the cd and file redirection work. - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" - -SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(5), - 1.7.4 July 19, 2010 9 @@ -598,6 +598,10 @@ SSEEEE AALLSSOO SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" + +SSEEEE AALLSSOO + _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(5), _v_i_s_u_d_o(1m) AAUUTTHHOORRSS @@ -651,10 +655,6 @@ DDIISSCCLLAAIIMMEERR - - - - 1.7.4 July 19, 2010 10 diff --git a/sudo.man.in b/sudo.man.in index 1ffea70e0..65a79d5b2 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -332,8 +332,11 @@ case, the primary group will be set to \fIgroup\fR. .IX Item "-H" The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable to the homedir of the target user (root by default) as specified -in \fIpasswd\fR\|(@mansectform@). By default, \fBsudo\fR does not modify \f(CW\*(C`HOME\*(C'\fR -(see \fIset_home\fR and \fIalways_set_home\fR in \fIsudoers\fR\|(@mansectform@)). +in \fIpasswd\fR\|(@mansectform@). The default handling of the \f(CW\*(C`HOME\*(C'\fR environment +variable depends on \fIsudoers\fR\|(@mansectform@) settings. By default, \fBsudo\fR +will set \f(CW\*(C`HOME\*(C'\fR if \fIenv_reset\fR or \fIalways_set_home\fR are set, or +if \fIset_home\fR is set and the \fB\-s\fR option is specified on the +command line. .IP "\-h" 12 .IX Item "-h" The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. @@ -623,8 +626,10 @@ to the mail spool of the target user .ie n .IP "\*(C`HOME\*(C'" 16 .el .IP "\f(CW\*(C`HOME\*(C'\fR" 16 .IX Item "HOME" -In \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the -\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user +Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are +specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR, +or when the \fB\-s\fR optino is specified and \fIset_home\fR is set in +\&\fIsudoers\fR .ie n .IP "\*(C`PATH\*(C'" 16 .el .IP "\f(CW\*(C`PATH\*(C'\fR" 16 .IX Item "PATH" diff --git a/sudo.pod b/sudo.pod index c2426a0d8..39c8cd9cc 100644 --- a/sudo.pod +++ b/sudo.pod @@ -213,8 +213,11 @@ case, the primary group will be set to I. The B<-H> (I) option sets the C environment variable to the homedir of the target user (root by default) as specified -in passwd(5). By default, B does not modify C -(see I and I in L). +in passwd(5). The default handling of the C environment +variable depends on L settings. By default, B +will set C if I or I are set, or +if I is set and the B<-s> option is specified on the +command line. =item -h @@ -526,8 +529,10 @@ to the mail spool of the target user =item C -In B<-s> or B<-H> mode (or if sudo was configured with the ---enable-shell-sets-home option), set to homedir of the target user +Set to the home directory of the target user if B<-i> or B<-H> are +specified, I or I are set in I, +or when the B<-s> optino is specified and I is set in +I =item C