/apps/bin should be added to sudoer's secure_path

Bug #1411671 reported by Ilya Dmitrichenko on 2015-01-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Wishlist
Jamie Strandboge

Bug Description

When a script, such as weave [1], is called via sudo and in turns needs call docker, it cannot find docker command in the path.

[1]: https://github.com/zettio/weave/blob/master/weave

Alexander Sack (asac) wrote :

We ar emoving this to another place; assigning mvo to think if we should do something on top.

Changed in snappy-ubuntu:
importance: Undecided → Wishlist
assignee: nobody → Michael Vogt (mvo)
Alexander Sack (asac) wrote :

mvo can this be closed? Or do we need to do something else now?

Michael Vogt (mvo) on 2015-03-31
summary: - /home/ubuntu/snappy-bin should be added to sudoer's sercure_path
+ /apps/bin should be added to sudoer's sercure_path

I guess the implementation would be to add /apps/bin to the end of the secure_path so that apps can't override system binaries. The problem is that apps are not trusted (though they are confined) so adding them automatically to the secure_path needs thought. Can someone from the security team comment on this?

summary: - /apps/bin should be added to sudoer's sercure_path
+ /apps/bin should be added to sudoer's secure_path

As a user, I wouldn't want to see different order in $PATH with sudo's secure_path. I don't care what's the order is, but will be very confused if the order is different.

Michael Vogt (mvo) on 2015-04-14
Changed in snappy-ubuntu:
assignee: Michael Vogt (mvo) → nobody
Changed in snappy-ubuntu:
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in snappy-ubuntu:
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

This was fixed in ubuntu-core-config 0.6.13.

Changed in snappy-ubuntu:
status: Fix Committed → Fix Released
Michael Terry (mterry) on 2015-05-18
affects: snappy-ubuntu → snappy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers