Bug#643311: secure_defaults affects BOTH sudo -i and sudo -iufred

Tue, 27 Sep 2011 00:21:18 -0700 

Package: sudo
Version: 1.8.2-1
Severity: important

This issue may tie in with the change that closed #85123 and #85917
and opened #639841.

Once upon a time, I ran "su -", and it gave me a clean root login
shell, with /sbin and /usr/sbin in its path.  Then I switched to "sudo
su -" or "sudo -H -s".  Then I switched to "sudo -i", which was best,
because it gave the same environment as "su -", but without having to
use su.

Now, when I run "sudo -i", I get the original user's $PATH.

My immediate reaction is "that's broken", but OK, I will try to do the
recommended change to sudoers:

    -Defaults env_reset
    +Defaults env_reset, 
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

But this is definitely wrong:

    $ sudo -i
    root@dali:~# echo $PATH
    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    root@dali:~# logout
    $ sudo -i -u fred
    fred@dali:~$ echo $PATH
    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

So what am I supposed to do about this?  sudoers revolves around the
user you're switching *from*, not the user you're switching *to*.
AFAICT I need to do something like this:


     Defaults env_reset
    -root       ALL=(ALL:ALL)   NOPASSWD:ALL
    +root       ALL=(root:ALL)  SECURE_PATH:"..." NOPASSWD:ALL
    +root       ALL=(ALL:ALL)   NOPASSWD:ALL
    -%sudo      ALL=(ALL:ALL)   NOPASSWD:ALL
    +%sudo      ALL=(root:ALL)  SECURE_PATH:"..." NOPASSWD:ALL
    +%sudo      ALL=(ALL:ALL)   NOPASSWD:ALL

This doubling is fugly and verbose, but might just fly for such a
simple ruleset.  But at work I have a couple dozen LDAP sudoRole
objects, and maintaining another dozen almost identical ones will be a
pain in the arse.

Now, I suspect this is not sudo's fault -- that the change in sudo has
just happened to expose some other misconfiguration in my system.
Specifically I think that /etc/profile doesn't set $PATH anymore (it
expects pam to), and PAM isn't doing so in this case for some reason.

OK, fine, whatever.  I don't care which component is misconfigured
here, I just want to "sudo -i" to DWIM and not have to go back to
"sudo su -" to get a "real" login environment.

PS: sorry if I sound really grumpy above, this just bit me
unexpectedly because apt-listchanges didn't warn me.

$ sudo egrep -v '^(#|$)' /etc/sudoers /etc/profile /etc/environment 
/etc/login.defs
/etc/sudoers:Defaults   env_reset
/etc/sudoers:Defaults   
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
/etc/sudoers:root       ALL=(ALL:ALL) NOPASSWD:ALL
/etc/sudoers:%sudo      ALL=(ALL:ALL) NOPASSWD:ALL
/etc/profile:if [ "$PS1" ]; then
/etc/profile:  if [ "$BASH" ]; then
/etc/profile:    # The file bash.bashrc already sets the default PS1.
/etc/profile:    # PS1='\h:\w\$ '
/etc/profile:    if [ -f /etc/bash.bashrc ]; then
/etc/profile:      . /etc/bash.bashrc
/etc/profile:    fi
/etc/profile:  else
/etc/profile:    if [ "`id -u`" -eq 0 ]; then
/etc/profile:      PS1='# '
/etc/profile:    else
/etc/profile:      PS1='$ '
/etc/profile:    fi
/etc/profile:  fi
/etc/profile:fi
/etc/profile:umask 022
/etc/login.defs:MAIL_DIR        /var/mail
/etc/login.defs:FAILLOG_ENAB            yes
/etc/login.defs:LOG_UNKFAIL_ENAB        no
/etc/login.defs:LOG_OK_LOGINS           no
/etc/login.defs:SYSLOG_SU_ENAB          yes
/etc/login.defs:SYSLOG_SG_ENAB          yes
/etc/login.defs:FTMP_FILE       /var/log/btmp
/etc/login.defs:SU_NAME         su
/etc/login.defs:HUSHLOGIN_FILE  .hushlogin
/etc/login.defs:ENV_SUPATH      
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/etc/login.defs:ENV_PATH        
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
/etc/login.defs:TTYGROUP        tty
/etc/login.defs:TTYPERM         0600
/etc/login.defs:ERASECHAR       0177
/etc/login.defs:KILLCHAR        025
/etc/login.defs:UMASK           022
/etc/login.defs:PASS_MAX_DAYS   99999
/etc/login.defs:PASS_MIN_DAYS   0
/etc/login.defs:PASS_WARN_AGE   7
/etc/login.defs:UID_MIN                  1000
/etc/login.defs:UID_MAX                 60000
/etc/login.defs:GID_MIN                  1000
/etc/login.defs:GID_MAX                 60000
/etc/login.defs:LOGIN_RETRIES           5
/etc/login.defs:LOGIN_TIMEOUT           60
/etc/login.defs:CHFN_RESTRICT           rwh
/etc/login.defs:DEFAULT_HOME    yes
/etc/login.defs:USERGROUPS_ENAB yes

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sudo depends on:
ii  libc6           2.13-21
ii  libpam-modules  1.1.3-4
ii  libpam0g        1.1.3-2

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README'

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to