I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config:
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_user/bin/script.py
This results in a highly insecure Python environment because the source user can set HOME and override any Python package by putting files in $HOME/.local/lib/python*/site-packages/.
This should be a safe configuration because the default behaviour (as specified in the man page) is that env_reset will replace HOME with the target user's home directory. The "env_reset" option even has special behaviour for bash which has its own potential environment vulnerabilities.
However there is an Ubuntu-specific patch in the package (keep_home_by_default.patch) that makes sudo preserve HOME by default, which negates the correct behaviour of "env_reset". It should not be necessary to explicitly specify the "always_set_home" option in order to negate this patch.
The patch should be removed and the default /etc/sudoers should explicitly add HOME to "env_keep" for the "allow admins to run any command as root" entries, to get the desired behaviour without creating security issues for other sudoers commands.
I wanted to allow certain users to execute a python script as another user, so I created the following sudoers config: user/bin/ script. py
Defaults env_reset
source_user ALL=(target_user) NOPASSWD: /home/target_
This results in a highly insecure Python environment because the source user can set HOME and override any Python package by putting files in $HOME/. local/lib/ python* /site-packages/ .
This should be a safe configuration because the default behaviour (as specified in the man page) is that env_reset will replace HOME with the target user's home directory. The "env_reset" option even has special behaviour for bash which has its own potential environment vulnerabilities.
However there is an Ubuntu-specific patch in the package (keep_home_ by_default. patch) that makes sudo preserve HOME by default, which negates the correct behaviour of "env_reset". It should not be necessary to explicitly specify the "always_set_home" option in order to negate this patch.
The patch should be removed and the default /etc/sudoers should explicitly add HOME to "env_keep" for the "allow admins to run any command as root" entries, to get the desired behaviour without creating security issues for other sudoers commands.