Bug 430

Summary: env_reset / always_set_home regression
Product: Sudo Reporter: Phil Pennock <sudo-bz>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.7.4   
Hardware: PC   
OS: FreeBSD   
Attachments: Fix for duplicate HOME when always_reset_home and !env_reset

Description Phil Pennock 2010-08-18 14:20:27 MDT 
NB: I have read UPGRADE and this change in behaviour is not described therein.  It looks very much like a regression.

I updated sudo from 1.7.3 to 1.7.4p2 (1.7.4.2_1 in FreeBSD Ports) and encountered a behaviour regression.  My sudoers contained:
  Defaults       !env_reset,always_set_home
ie: don't reset the env, but do always set HOME.  This achieved the security position I wanted, and which the recent changes appear to have been focused towards.

With 1.7.3, this worked.
with 1.7.4p2, HOME is no longer set, and so the update has resulted in a behaviour regression (with security impact).
Comment 1 Todd C. Miller 2010-08-18 15:22:23 MDT 
The HOME variable is being set but the old value is not being overwritten so you end up with two HOME variables in the environment.  I've attached a patch that fixes this,
Comment 2 Todd C. Miller 2010-08-18 15:23:08 MDT 
Created attachment 286 [details]
Fix for duplicate HOME when always_reset_home and !env_reset
Comment 3 Phil Pennock 2010-08-18 17:00:35 MDT 
Oh indeed.  The shell is de-duping and so for zsh, the original is kept, whereas FreeBSD /bin/sh is keeping the new value.  Ugh.  sudo /usr/bin/env proves it; thanks for the speedy diagnosis!

Patch confirmed to work for me.
Comment 4 Todd C. Miller 2010-08-18 19:15:45 MDT 
Fixed in sudo 1.7.4p3, available now.