From: Todd C. Miller Date: Thu, 20 Jun 2019 22:32:18 +0000 (-0600) Subject: Document why HOME should not be preserved from the user's environment. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ee214e5261f2e6e4b764091f5862afe925f0cf93;p=sudo Document why HOME should not be preserved from the user's environment. Text was adapted from what is already present in the UPGRADE file. Also mark set_home and always_set_home as obsolete. --- diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index af400a237..9ce52bcc3 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -2088,25 +2088,17 @@ If enabled, will set the \fRHOME\fR environment variable to the home directory of the target user -(which is root unless the +(which is root unless +\fBsudo\fR's \fB\-u\fR option is used). -This effectively means that the -\fB\-H\fR -option is always implied. -Note that by default, -\fRHOME\fR -will be set to the home directory of the target user when the +This option is largely obsolete and has no effect unless the \fIenv_reset\fR -option is enabled, so -\fIalways_set_home\fR -only has an effect for configurations where either -\fIenv_reset\fR -is disabled or +option has been disabled or \fRHOME\fR is present in the \fIenv_keep\fR -list. +list, both of which are strongly discouraged. This flag is \fIoff\fR by default. @@ -2932,30 +2924,20 @@ If enabled and \fBsudo\fR is invoked with the \fB\-s\fR -option the +option, the \fRHOME\fR environment variable will be set to the home directory of the target -user (which is root unless the +user (which is root unless +\fBsudo\fR's \fB\-u\fR option is used). -This effectively makes the -\fB\-s\fR -option imply -\fB\-H\fR. -Note that -\fRHOME\fR -is already set when the +This option is largely obsolete and has no effect unless the \fIenv_reset\fR -option is enabled, so -\fIset_home\fR -is only effective for configurations where either -\fIenv_reset\fR -is disabled -or +option has been disabled or \fRHOME\fR is present in the \fIenv_keep\fR -list. +list, both of which are strongly discouraged. This flag is \fIoff\fR by default. @@ -4398,6 +4380,18 @@ is displayed when is run by root with the \fB\-V\fR option. +.sp +Preserving the +\fRHOME\fR +environment variable has security implications since many programs use it +when searching for configuration files. +Adding +\fRHOME\fR +to +\fIenv_keep\fR +may enable a user to run unrestricted commands via +\fBsudo\fR +and is strongly discouraged. .SH "GROUP PROVIDER PLUGINS" The \fBsudoers\fR diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 114399d6f..2df6fd276 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -1960,25 +1960,17 @@ If enabled, will set the .Ev HOME environment variable to the home directory of the target user -(which is root unless the +(which is root unless +.Nm sudo Ns 's .Fl u option is used). -This effectively means that the -.Fl H -option is always implied. -Note that by default, -.Ev HOME -will be set to the home directory of the target user when the +This option is largely obsolete and has no effect unless the .Em env_reset -option is enabled, so -.Em always_set_home -only has an effect for configurations where either -.Em env_reset -is disabled or +option has been disabled or .Ev HOME is present in the .Em env_keep -list. +list, both of which are strongly discouraged. This flag is .Em off by default. @@ -2759,30 +2751,20 @@ If enabled and .Nm sudo is invoked with the .Fl s -option the +option, the .Ev HOME environment variable will be set to the home directory of the target -user (which is root unless the +user (which is root unless +.Nm sudo Ns 's .Fl u option is used). -This effectively makes the -.Fl s -option imply -.Fl H . -Note that -.Ev HOME -is already set when the +This option is largely obsolete and has no effect unless the .Em env_reset -option is enabled, so -.Em set_home -is only effective for configurations where either -.Em env_reset -is disabled -or +option has been disabled or .Ev HOME is present in the .Em env_keep -list. +list, both of which are strongly discouraged. This flag is .Em off by default. @@ -4103,6 +4085,18 @@ is displayed when is run by root with the .Fl V option. +.Pp +Preserving the +.Ev HOME +environment variable has security implications since many programs use it +when searching for configuration files. +Adding +.Ev HOME +to +.Em env_keep +may enable a user to run unrestricted commands via +.Nm sudo +and is strongly discouraged. .El .Sh GROUP PROVIDER PLUGINS The