https://bugzilla.novell.com/show_bug.cgi?id=352121 User adaugherity@tamu.edu added comment https://bugzilla.novell.com/show_bug.cgi?id=352121#c354431 Summary: sudo: env_reset/env_keep result in conflicting, duplicate, broken PATH Product: openSUSE 10.2 Version: Final Platform: i686 OS/Version: openSUSE 10.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: adaugherity@tamu.edu QAContact: qa@suse.de Found By: --- This is basically the same as Debian bug #354431 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354431>, wherein attempting to keep the user's path by setting Defaults env_keep+=PATH causes severe breakage, as it produces two PATH environment variables, one with the SECURE_PATH compile-time setting, one that is simply "/usr/bin:/bin", which ends up being the one used, which is very unhelpful. Adding the Debian patch (from Alexander Zangerl in that bug report) to the rpm spec fixes this issue, but as he describes, it only fixes the duplicate path issue, and PATH is still set to the compiled-in SECURE_PATH setting (which may be intentional, I'm not sure on the SuSE security policy here). It might be a good idea to change the sudoers(5) man page to note that sudo *is* compiled with the SECURE_PATH option (it currently says "If sudo was compiled with the SECURE_PATH option, its value will be used for the PATH environment variable."). Still, this is better than having an useless (and broken) duplicate PATH. Repeatable: always How-to-repeat: Add PATH to the env_keep setting (with a sudoers line such as "Defaults env_keep+=PATH"), and instead of the user's PATH setting being retained, a second PATH environment variable is set with the value "/usr/bin:/bin". This can be seen by running 'sudo env': andrew@virt-zope-01:~> sudo env TERM=xterm PATH=/usr/sbin:/bin:/usr/bin:/sbin:/usr/X11R6/bin HOME=/root SHELL=/bin/bash LOGNAME=root USER=root PATH=/usr/bin:/bin SUDO_COMMAND=/usr/bin/env SUDO_USER=andrew SUDO_UID=1001 SUDO_GID=100 Note the second PATH line. This bug does not apply to OpenSUSE 10.3, which ships sudo 1.6.9p2 instead of 1.6.8p12. Fix: *New patch file sudo-1.6.8p12-duplicate_path.diff (identical to the patch from Debian, except for changing the line numbers): ==== --- env.c.old 2006-02-26 18:24:58.000000000 +1000 +++ env.c 2006-02-26 18:30:10.000000000 +1000 @@ -389,6 +389,10 @@ if (strncmp(*ep, "USER=", 5) == 0) SET(didvar, DID_USER); break; + case 'P': + if (strncmp("PATH=", *ep, 5) == 0) + SET(didvar,DID_PATH); + break; } insert_env(*ep, 0); } else { ==== *Of course, this patch needs to be referenced in the spec file, and the revision bumped. ==== --- sudo.spec.orig 2006-11-25 11:39:20.000000000 -0600 +++ sudo.spec 2008-01-07 14:35:28.000000000 -0600 @@ -14,7 +14,7 @@ Name: sudo BuildRequires: openldap2-devel pam-devel postfix Version: 1.6.8p12 -Release: 40 +Release: 41 Autoreqprov: on Group: System/Base License: BSD License and BSD-like @@ -32,6 +32,7 @@ Patch7: %{name}-%{version}-secure_path.diff Patch8: %{name}-%{version}-configure.diff Patch9: %{name}-%{version}-ldap.diff +Patch10: %{name}-%{version}-duplicate_path.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -63,6 +64,7 @@ %patch7 %patch8 %patch9 +%patch10 cp %{S:1} %{S:2} . %build ==== -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.