HOME points to something not owned by user in sudo

Bug #1823202 reported by Ryan K. McKee on 2019-04-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Undecided
Unassigned
zsh (Ubuntu)
Undecided
Unassigned

Bug Description

<CcxWrk> You shouldn't use interactive shell, or any program with executable configuration, while your HOME points to something not owned by your user. That's the big issue and it's with sudo, not zsh, not omz, not any other shell or application you launch. <CcxWrk> You can go shout "you are doing security wrong" at Ubuntu. Good luck.

╭─rkm@Khadas ~
╰─➤ id rkm && getent passwd rkm
uid=1001(rkm) gid=1001(rkm) groups=1001(rkm),0(root),4(adm),5(tty),6(disk),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),29(audio),30(dip),44(video),46(plugdev),50(staff),60(games),100(users),101(systemd-journal),104(input),108(netdev),112(bluetooth),113(lpadmin),121(pulse-access)
rkm:x:1001:1001:Ryan McKee,,,,:/home/rkm:/usr/bin/zsh

╭─rkm@Khadas ~
╰─➤ sudo /usr/bin/env 1 ↵
LC_MESSAGES=en_US.UTF-8
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8
TERM=xterm-256color
XAUTHORITY=/home/rkm/.Xauthority
COLORTERM=truecolor
DISPLAY=:0.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
HOME=/home/rkm
LC_CTYPE=en_US.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
MAIL=/var/mail/root
LOGNAME=root
USER=root
USERNAME=root
SHELL=/bin/bash
SUDO_COMMAND=/usr/bin/env

SUDO_USER=rkm
SUDO_UID=1001
SUDO_GID=1001
╭─rkm@Khadas ~
╰─➤

<Eickmeyer> CyberManifest: sudo is a package. Also, once filed, add zsh to the bug since it could be a bug in zsh's package as well.

<Eickmeyer> Not necessarily zsh itself, but the packaging.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: sudo 1.8.21p2-3ubuntu1
Uname: Linux 4.9.40 aarch64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: arm64
CurrentDesktop: XFCE
Date: Thu Apr 4 11:07:42 2019
SourcePackage: sudo
UpgradeStatus: No upgrade log present (probably fresh install)
VisudoCheck:
 /etc/sudoers: parsed OK
 /etc/sudoers.d/README: parsed OK

Ryan K. McKee (ryan-k-mckee) wrote :
Seth Arnold (seth-arnold) wrote :

This appears to be the missing context:

╭─rkm@Khadas ~
╰─➤ sudo -s
[oh-my-zsh] Insecure completion-dependent directories detected:
drwxr-xr-x 11 rkm rkm 4096 Mar 30 19:19 /home/rkm/.oh-my-zsh
drwxr-xr-x 266 rkm rkm 12288 Mar 30 19:19 /home/rkm/.oh-my-zsh/plugins
drwxr-xr-x 2 rkm rkm 4096 Mar 30 19:19 /home/rkm/.oh-my-zsh/plugins/git

[oh-my-zsh] For safety, we will not load completions from these directories until
[oh-my-zsh] you fix their permissions and ownership and restart zsh.
[oh-my-zsh] See the above list for directories with group or other writability.

[oh-my-zsh] To fix your permissions you can do so by disabling
[oh-my-zsh] the write permission of "group" and "others" and making sure that the
[oh-my-zsh] owner of these directories is either root or your current user.
[oh-my-zsh] The following command may help:
[oh-my-zsh] compaudit | xargs chmod g-w,o-w

[oh-my-zsh] If the above didn't help or you want to skip the verification of
[oh-my-zsh] insecure directories you can set the variable ZSH_DISABLE_COMPFIX to
[oh-my-zsh] "true" before oh-my-zsh is sourced in your zshrc file.

from http://dpaste.com/1NQ618Y

information type: Private Security → Public
Seth Arnold (seth-arnold) wrote :

You should use sudo -i to get a clean root login without your local user configuration seeping into the shell.

Thanks

Download full text (4.2 KiB)

So does this mean sudo -s doesn't work? If not, why the implementation? Why
does an "-s" switch exist if it provides no functionality?

On Thu, Apr 4, 2019, 11:55 AM Seth Arnold <email address hidden>
wrote:

> You should use sudo -i to get a clean root login without your local user
> configuration seeping into the shell.
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1823202
>
> Title:
> HOME points to something not owned by user in sudo
>
> Status in sudo package in Ubuntu:
> New
> Status in zsh package in Ubuntu:
> New
>
> Bug description:
> <CcxWrk> You shouldn't use interactive shell, or any program with
> executable configuration, while your HOME points to something not
> owned by your user. That's the big issue and it's with sudo, not zsh,
> not omz, not any other shell or application you launch. <CcxWrk> You
> can go shout "you are doing security wrong" at Ubuntu. Good luck.
>
> ╭─rkm@Khadas ~
> ╰─➤ id rkm && getent passwd rkm
> uid=1001(rkm) gid=1001(rkm)
> groups=1001(rkm),0(root),4(adm),5(tty),6(disk),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),27(sudo),29(audio),30(dip),44(video),46(plugdev),50(staff),60(games),100(users),101(systemd-journal),104(input),108(netdev),112(bluetooth),113(lpadmin),121(pulse-access)
> rkm:x:1001:1001:Ryan McKee,,,,:/home/rkm:/usr/bin/zsh
>
> ╭─rkm@Khadas ~
> ╰─➤ sudo /usr/bin/env
> 1 ↵
> LC_MESSAGES=en_US.UTF-8
> LANG=en_US.UTF-8
> LANGUAGE=en_US.UTF-8
> TERM=xterm-256color
> XAUTHORITY=/home/rkm/.Xauthority
> COLORTERM=truecolor
> DISPLAY=:0.0
>
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
> HOME=/home/rkm
> LC_CTYPE=en_US.UTF-8
>
> LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=0...

Read more...

Ryan K. McKee (ryan-k-mckee) wrote :

[16:51:24] <slacker_nl> that patch that they added in ... 1.7.4p4-5ubuntu6 breaks the default sudo compared to upstream (both sudo and debian)
[16:52:36] <slacker_nl> you can reference to https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/760140

Basically I resolved my sudo -s issue by
creating a new file: /etc/sudoers.d/01_env_keep
with the following contents:

Defaults env_keep -= "HOME"

and then chmod 440 /etc/sudoers.d/01_env_keep

and then confirming with sudo sudo -V

Ryan K. McKee (ryan-k-mckee) wrote :

[17:16:23] <slacker_nl> CyberManifest: there are two other bugs that are the same as yours, both can be found in https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/760140

[17:16:46] <slacker_nl> I personally believe that the decision of adding this patch is wrong, please refer Bug #1373495. / I'm expecting the documented behavior. Please refer Bug #889936

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers