Your message dated Tue, 5 Jul 2016 01:35:28 +0200 (SAST) with message-id <[email protected]> and subject line documented has caused the Debian Bug report #643311, regarding secure_defaults affects BOTH sudo -i and sudo -iufred to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 643311: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643311 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: sudo Version: 1.8.2-1 Severity: important This issue may tie in with the change that closed #85123 and #85917 and opened #639841. Once upon a time, I ran "su -", and it gave me a clean root login shell, with /sbin and /usr/sbin in its path. Then I switched to "sudo su -" or "sudo -H -s". Then I switched to "sudo -i", which was best, because it gave the same environment as "su -", but without having to use su. Now, when I run "sudo -i", I get the original user's $PATH. My immediate reaction is "that's broken", but OK, I will try to do the recommended change to sudoers: -Defaults env_reset +Defaults env_reset, secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" But this is definitely wrong: $ sudo -i root@dali:~# echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin root@dali:~# logout $ sudo -i -u fred fred@dali:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin So what am I supposed to do about this? sudoers revolves around the user you're switching *from*, not the user you're switching *to*. AFAICT I need to do something like this: Defaults env_reset -root ALL=(ALL:ALL) NOPASSWD:ALL +root ALL=(root:ALL) SECURE_PATH:"..." NOPASSWD:ALL +root ALL=(ALL:ALL) NOPASSWD:ALL -%sudo ALL=(ALL:ALL) NOPASSWD:ALL +%sudo ALL=(root:ALL) SECURE_PATH:"..." NOPASSWD:ALL +%sudo ALL=(ALL:ALL) NOPASSWD:ALL This doubling is fugly and verbose, but might just fly for such a simple ruleset. But at work I have a couple dozen LDAP sudoRole objects, and maintaining another dozen almost identical ones will be a pain in the arse. Now, I suspect this is not sudo's fault -- that the change in sudo has just happened to expose some other misconfiguration in my system. Specifically I think that /etc/profile doesn't set $PATH anymore (it expects pam to), and PAM isn't doing so in this case for some reason. OK, fine, whatever. I don't care which component is misconfigured here, I just want to "sudo -i" to DWIM and not have to go back to "sudo su -" to get a "real" login environment. PS: sorry if I sound really grumpy above, this just bit me unexpectedly because apt-listchanges didn't warn me. $ sudo egrep -v '^(#|$)' /etc/sudoers /etc/profile /etc/environment /etc/login.defs /etc/sudoers:Defaults env_reset /etc/sudoers:Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" /etc/sudoers:root ALL=(ALL:ALL) NOPASSWD:ALL /etc/sudoers:%sudo ALL=(ALL:ALL) NOPASSWD:ALL /etc/profile:if [ "$PS1" ]; then /etc/profile: if [ "$BASH" ]; then /etc/profile: # The file bash.bashrc already sets the default PS1. /etc/profile: # PS1='\h:\w\$ ' /etc/profile: if [ -f /etc/bash.bashrc ]; then /etc/profile: . /etc/bash.bashrc /etc/profile: fi /etc/profile: else /etc/profile: if [ "`id -u`" -eq 0 ]; then /etc/profile: PS1='# ' /etc/profile: else /etc/profile: PS1='$ ' /etc/profile: fi /etc/profile: fi /etc/profile:fi /etc/profile:umask 022 /etc/login.defs:MAIL_DIR /var/mail /etc/login.defs:FAILLOG_ENAB yes /etc/login.defs:LOG_UNKFAIL_ENAB no /etc/login.defs:LOG_OK_LOGINS no /etc/login.defs:SYSLOG_SU_ENAB yes /etc/login.defs:SYSLOG_SG_ENAB yes /etc/login.defs:FTMP_FILE /var/log/btmp /etc/login.defs:SU_NAME su /etc/login.defs:HUSHLOGIN_FILE .hushlogin /etc/login.defs:ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /etc/login.defs:ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games /etc/login.defs:TTYGROUP tty /etc/login.defs:TTYPERM 0600 /etc/login.defs:ERASECHAR 0177 /etc/login.defs:KILLCHAR 025 /etc/login.defs:UMASK 022 /etc/login.defs:PASS_MAX_DAYS 99999 /etc/login.defs:PASS_MIN_DAYS 0 /etc/login.defs:PASS_WARN_AGE 7 /etc/login.defs:UID_MIN 1000 /etc/login.defs:UID_MAX 60000 /etc/login.defs:GID_MIN 1000 /etc/login.defs:GID_MAX 60000 /etc/login.defs:LOGIN_RETRIES 5 /etc/login.defs:LOGIN_TIMEOUT 60 /etc/login.defs:CHFN_RESTRICT rwh /etc/login.defs:DEFAULT_HOME yes /etc/login.defs:USERGROUPS_ENAB yes -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sudo depends on: ii libc6 2.13-21 ii libpam-modules 1.1.3-4 ii libpam0g 1.1.3-2 sudo recommends no packages. sudo suggests no packages. -- Configuration Files: /etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers' /etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README' -- no debconf information
--- End Message ---
--- Begin Message ---This problem was documented with a NEWS entry and enough time has passed that I expect the vast majority of users are over this transition and there's no longer any point in keeping this bug open. Bdale
--- End Message ---
