Bug 1019

Summary: Always set $HOME to the target user's home directory - causing issue
Product: Sudo Reporter: Prasad <prasad1106>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: ASSIGNED ---    
Severity: high    
Priority: high    
Version: 1.8.26   
Hardware: IBM   
OS: AIX   

Description Prasad 2022-01-28 07:56:46 MST 
As we notice due to below option added in 1.8.26 Sudo version ,we are experiencing issues with some sudo rules when updated from "Sudo version 1.7.4p6" to "1.8.26".

Is there a way to disable this feature in sudoers config as i have already tried below option, but that's not effective/working.

Defaults env_keep += "HOME"

"Always set $HOME to the target user's home directory"

Your help /support is much appreciated as we have multiple servers pending for update due to this issue.

Thanks.
Comment 1 Todd C. Miller 2022-01-28 09:56:28 MST 
I'm not sure why preserving HOME would not work.  Here's what I see when I add that to sudoers:

$ sudo -V
Sudo version 1.8.26
Sudoers policy plugin version 1.8.26
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.26

$ sudo printenv | grep HOME
HOME=/root

After adding:

Defaults    env_keep += "HOME"

$ sudo printenv | grep HOME
HOME=/home/millert

You should verify that the line:

Defaults    env_keep += "HOME"

occurs _after_ other Defaults lines that modify env_keep.

Can you share the output of "sudo -l" for an affected user as
well as the output of "sudo printenv | grep HOME"?
Comment 2 Prasad 2022-02-02 06:39:04 MST 
Thank you for the reply, please find below details.

# printenv|grep HOME (output from root)
HOME=/

# su - xxxxx (Below is my user level output, above is from root)
$ printenv|grep HOME
HOME=/users/xxxxx
$ sudo -l
Matching Defaults entries for XXXXX on YYYYYYYY:
    env_keep+=HOME, logfile=/var/adm/sudo.log, always_set_home

User xxxxxx may run the following commands on YYYYYYY:
    (perf) NOPASSWD: /tmp/Abcdef*/test1.sh
$


Below is the output from sudoers conf: (tried both ways keeping the original entry and now added the line at the end of line)

# grep -i env /etc/sudoers
## You may wish to keep some of the following environment variables
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
# Defaults env_keep += "HOME"
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
# Defaults env_keep += "QTDIR KDEDIR"
# Defaults env_keep += "XDG_SESSION_COOKIE"
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
Defaults env_keep += "HOME"
#

$ sudo -V
Sudo version 1.8.26
Sudoers policy plugin version 1.8.26
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.26
$
Comment 3 Todd C. Miller 2022-02-02 07:28:57 MST 
You need to remove the "always_set_home" option from sudoers, that is what is setting HOME to the target user.
Comment 4 Prasad 2022-02-02 08:18:19 MST 
Thank you.

I do not see any env variable in sudoers that is enabled to set 'always_set_home'

>/# su - XXXXXX
$ sudo -l
Matching Defaults entries for XXXXXX on YYYYYYY:
    logfile=/var/adm/sudo.log, always_set_home

User XXXXXX may run the following commands on YYYYYYY:
    (perf) NOPASSWD: /tmp/Abcdef*/test1.sh
$ 

Also tried to disable the one which added "Defaults env_keep += "HOME"" to see if 'always_set_home" disappears from sudo -l for my ID, still its coming when i sudo -l from my ID. Not sure from where sudo is fetching the always_set_home . please advise.

>/# cat /etc/sudoers|grep -i  home
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find
# Defaults env_keep += "HOME"
#Defaults env_keep += "HOME"
>/#
Comment 5 Todd C. Miller 2022-02-02 08:57:35 MST 
It may be set by default in your sudo binary, in which case you will need to explicitly disable it.  Try adding:

Defaults !always_set_home

to sudoers.
Comment 6 Prasad 2022-02-02 09:22:11 MST 
Still its showing in sudo -l, not getting removed.

/ # cat /etc/sudoers|grep -i  home
## Run X applications through sudo; HOME is used to find the
## .Xauthority file.  Note that other programs use HOME to find
# Defaults env_keep += "HOME"
#Defaults env_keep += "HOME"
Defaults !always_set_home
/ #

/ # su - XXXXXX
$
$
$ sudo -l
Matching Defaults entries for XXXXXX on YYYYYYY:
    !always_set_home, logfile=/var/adm/sudo.log, always_set_home

User XXXXXX may run the following commands on YYYYYYY:
    (perf) NOPASSWD: /tmp/Abcdef*/test1
$ exit
/ #
Comment 7 Todd C. Miller 2022-02-02 10:42:54 MST 
That indicates that always_set_home is being set later on.  Are there any include files that could be setting it?
Comment 8 Prasad 2022-02-02 11:09:40 MST 
As shown below, i do not see any thing in the sudoers file locally in the server.

/ # cat /etc/sudoers|grep -i include
## Groups of machines. These may include host names (optionally with wildcards),
#includedir /etc/sudoers.d
/ # cd /etc/sudoers.d
/etc/sudoers.d # ls -ltr
total 0
/etc/sudoers.d #
Comment 9 Todd C. Miller 2022-02-02 15:46:07 MST 
Sorry, I don't see how always_set_home could be enabled unless there is a line in sudoers that explicitly sets it.

You could move the:

Defaults !always_set_home

line to the very end of the sudoers file and see if that changes the behavior.
Comment 10 Prasad 2022-02-10 07:32:11 MST 
I still see the same behavior (always_set_home is not getting removed or unable to overwrite this parameter)

/ # cat /etc/sudoers|tail
Defaults !always_set_home
/ #

/ # su - XXXXXX 
$ sudo -l
Matching Defaults entries for XXXXXX on YYYYYYY:
    !always_set_home, logfile=/var/adm/sudo.log, always_set_home

User XXXXXX may run the following commands on YYYYYYY:
    (perf) NOPASSWD: /tmp/Abcdef*/test1