hardy sudo path is always reset

Bug #192651 reported by sibidiba
58
This bug affects 8 people
Affects Status Importance Assigned to Milestone
sudo
Fix Released
Unknown
sudo (Fedora)
Fix Released
Medium
sudo (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: sudo

According to /usr/share/doc/sudo/OPTIONS, sudo is bulit with

--with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin"

This is basically ok, but you should be able to change the default PATH for sudo.

I tried in sudoers:

Defaults env_reset
Defaults env_keep="HOME"

and

Defaults !env_reset

But PATH is always reset to the configured one.

Revision history for this message
Martin Pitt (pitti) wrote :

You can change $PATH for one command with a little trick:

  $ sudo PATH=$PATH sh -c 'echo $PATH'

to use the user's $PATH. You can set it to anything else, too.

However, I agree that it would be nice to provide a sudoers configuration variable to change the default.

Changed in sudo:
importance: Undecided → Wishlist
status: New → Triaged
Changed in sudo:
status: Unknown → In Progress
Changed in sudo:
status: In Progress → Fix Released
Revision history for this message
paul.carey (paul-p-carey) wrote :

Given that a duplicate of this bug was originally filed in July 2006, I'm not clear how long an ineffectual env_keep has been in operation. Whatever the merits of forcing users to employ tricks such as that listed above, surely the man pages for sudo and sudoers should reflect the fact that options to modify the PATH are effectively redundant.

Modifying documentation to reflect actual execution is non destabilising and very helpful.

Revision history for this message
Mikel Ward (mikelward) wrote :

The suggested workaround breaks sudo -s.

It would be nice if sudo worked properly without touching my PATH. If I wanted it to touch PATH, I'd use su - (or sudo su -).

Revision history for this message
Mikel Ward (mikelward) wrote :

What exactly are we trying to accomplish with --with-secure-path?

Can't we get the same functionality with env_reset and -D_PATH_DEFPATH?

Revision history for this message
In , Jeff (jeff-redhat-bugs) wrote :

Description of problem:
Our users have a pretty scary PATH variable and they have a script named runasrelease that does:
sudo -u release bash -c "$*"

Since upgrading to fedora10+, the PATH variable is cleared and set to whatever was builtin with --secure-path. This breaks our expected usage of sudo as it removes PATH which we want set.

Adding:
!env_reset

or env_reset
env_keep = "HOME PATH"

does not work.

Version-Release number of selected component (if applicable):
sudo-1.6.9p17-6

How reproducible:
PATH=$PATH:/tmp/pathtest
sudo -u anyotheruser bash -c 'echo $PATH'

Steps to Reproduce:
<email address hidden>: ~ $ echo $PATH
/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/java/bin:/home/release:/home/release/scripts:/opt/mysql/5.1.30/bin:/home/jschroeder/bin
<email address hidden>: ~ $ sudo -u release bash -c 'echo $PATH'
[sudo] password for jschroeder:
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin

Actual results:
PATH is cleared due to the --secure-path option

Expected results:
There should be a way for PATH to not be cleared. !env_reset or adding PATH to env_keep should work. This is fixed in 1.7.0 according to upstream.

Additional info:

* Wed May 14 2008 Peter Vrabec <email address hidden> 1.6.9p13-6
- compiled with secure path (#80215)

https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/192651 ubuntu bug
http://www.gratisoft.us/bugzilla/show_bug.cgi?id=284 upstream bug

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

sudo-1.7.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/sudo-1.7.1-1.fc11

Revision history for this message
Jeff Schroeder (sejeff) wrote :

The Fedora bug I linked is fixed if you use the new package. Simply merging sudo 1.7.0 solves this bug.

Changed in sudo (Fedora):
status: Unknown → Confirmed
Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

sudo-1.7.1-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with
 su -c 'yum --enablerepo=updates-testing update sudo'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-4879

Changed in sudo (Fedora):
status: Confirmed → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Comment from upstream:

This feature is already present in sudo 1.7, which is currently in
beta. The "secure_path" sudoers option can be used to set the PATH.

1.7 is in Karmic now, closing.

Changed in sudo (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
In , Bug (bug-redhat-bugs) wrote :

This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

sudo-1.7.1-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.

Changed in sudo (Fedora):
status: Fix Committed → Fix Released
Changed in sudo (Fedora):
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.