sudo doesn't have /snap/bin in PATH

Bug #1595558 reported by Kyle Fazzari on 2016-06-23
30
This bug affects 7 people
Affects Status Importance Assigned to Milestone
snapd (Ubuntu)
High
Unassigned
Trusty
Undecided
Unassigned
Xenial
High
Unassigned
sudo (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned

Bug Description

[ SRU Justification ]
Snap may contain sysadmin tools as well. They are currently hard to invoke
because /snap/bin is not in the PATH when sudo is used because the default
secure_path of sudoers does not have it.

[ SRU Test Case ]
1. sudo snap install hello-world
2. sudo hello-world
3. verify that this fails with "command not found"
4. install sudo from xenial-proposed
5. verify that sudo hello-world now works

[ Regression Potential ]
- may trigger conffile prompts on upgrade

[Original report]
$ nextcloud.occ
# prints output

$ sudo nextcloud.occ
sudo: nextcloud.occ: command not found

I need to do `sudo /snap/bin/nextcloud.occ` if I want it to run.

$ sudo env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Kyle Fazzari (kyrofa) on 2016-06-23
description: updated
Oliver Grawert (ogra) wrote :

seems that sudo by default does neither carry over the existing env nor process a pam login ...

it works fine with "sudo -i"

ogra@styx:~$ sudo -i env|grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

vs

ogra@styx:~$ sudo env|grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Oliver Grawert (ogra) wrote :

also note the PATH extension comes from an /etc/profile.d snipped (which sudo -i processes as it runs through the whole pam login process)

Oliver Grawert (ogra) wrote :

what works is:

ogra@styx:~$ sudo cat /etc/sudoers.d/foo
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

ogra@styx:~$ sudo env|grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

but you can only replace the full variable that is originally set in /etc/sudoers, just appending a dir to it via an /etc/sudoers.d/snapd snippet would not work.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in snapd (Ubuntu):
status: New → Confirmed
Michael Vogt (mvo) on 2016-07-12
Changed in snapd (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Michael Vogt (mvo) wrote :
Changed in snapd (Ubuntu):
status: Triaged → In Progress
Michael Vogt (mvo) wrote :

Closing the snapd tasks, we will fix it in sudo directly.

Changed in snapd (Ubuntu):
status: In Progress → Won't Fix
Changed in snapd (Ubuntu Xenial):
status: New → Won't Fix
description: updated
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.16-0ubuntu3

---------------
sudo (1.8.16-0ubuntu3) yakkety; urgency=medium

  * debian/sudoers:
    - include /snap/bin in the secure_path (LP: #1595558)

 -- Michael Vogt <email address hidden> Mon, 15 Aug 2016 18:08:34 +0200

Changed in sudo (Ubuntu):
status: New → Fix Released

Hello Kyle, or anyone else affected,

Accepted sudo into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Changed in sudo (Ubuntu):
importance: Undecided → High
Changed in snapd (Ubuntu Xenial):
importance: Undecided → High
Changed in sudo (Ubuntu Xenial):
importance: Undecided → High
Oliver Grawert (ogra) on 2016-08-29
tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for sudo has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.16-0ubuntu1.2

---------------
sudo (1.8.16-0ubuntu1.2) xenial; urgency=medium

  * debian/sudoers:
    - include /snap/bin in the secure_path (LP: #1595558)

 -- Michael Vogt <email address hidden> Mon, 15 Aug 2016 18:10:18 +0200

Changed in sudo (Ubuntu Xenial):
status: Fix Committed → Fix Released
Michael Vogt (mvo) on 2016-10-10
Changed in sudo (Ubuntu Trusty):
status: New → In Progress
Changed in snapd (Ubuntu Trusty):
status: New → Won't Fix
Changed in sudo (Ubuntu Trusty):
importance: Undecided → High

Hello Kyle, or anyone else affected,

Accepted sudo into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.9p5-1ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Leo Arias (elopio) wrote :

I tested this in a trusty lxc. Updated sudo to 1.8.9p5-1ubuntu1.3 and:

# mkdir -p /snap/bin
# cp $(which echo) /snap/bin/echo-test
# su ubuntu
$ sudo echo-test test
test

I'm marking it as verified. Thanks Brian.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.9p5-1ubuntu1.3

---------------
sudo (1.8.9p5-1ubuntu1.3) trusty-proposed; urgency=medium

  * debian/sudoers:
    - include /snap/bin in the secure_path (LP: #1595558)

 -- Michael Vogt <email address hidden> Mon, 10 Oct 2016 10:10:46 +0200

Changed in sudo (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers