Bug 488

Summary: --disable-env-reset not honoured on sudo binary on FreeBSD
Product: Sudo Reporter: Greg Robinson <greg.robinson>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED WORKSFORME    
Severity: high    
Priority: low    
Version: 1.8.1   
Hardware: PC   
OS: FreeBSD   
Attachments: Output of "sudo -V" on FreeBSD 8.2 amd64 with env-reset disabled.

Description Greg Robinson 2011-04-10 22:19:57 MDT 
Hi,

I have fresh install of FreeBSD 8.2 RELEASE 64 bit.

I tried compiling sudo 1.8.1 manually, and the resulting binary still has the Reset env option set.  Using the ports collection also does not work.  If I hack the Makefile in the ports colection, it still does not work.  I can compile 1.8.0 on Solaris 10 and it works.

eg.:

./configure --disable-env-reset --with-pam --sysconfdir=/usr/local/etc

gives me a binary with:

./sudo -V
[...]
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TERM
[...]

As you can see, "Reset the environment to a default set of variables" is present and indeed works, much to my frustration.

I should clarify, sudo 1.8.0 works as I want on Solaris 10.  sudo 1.8.0 and 1.8.1 on FreeBSD 8.2 does not.
Comment 1 Todd C. Miller 2011-04-11 08:41:38 MDT 
I can't reproduce that.  The "sudo -V" output should also include the configure args.  Is --disable-env-reset listed there?
Comment 2 Greg Robinson 2011-04-11 18:59:46 MDT 
Certainly is:

src/sudo-1.8.1/src # ./sudo -V
Sudo version 1.8.1
Configure args: --disable-env-reset --with-pam --sysconfdir=/usr/local/etc
Sudoers policy plugin version 1.8.1
Sudoers file grammar version 40

Sudoers path: /usr/local/etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Put OTP prompt on its own line
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TERM
        LINGUAS
[...]
Comment 3 Todd C. Miller 2011-04-12 12:13:23 MDT 
I installed FreeBSD 8.2 on an amd64 VM, updated the ports to current and added --disable-env-reset to CONFIGURE_ARGS in the sudo port's Makefile.  Everything works as expected.  I'm not sure how you managed to get a sudo binary that includes --disable-env-reset in the binary's configure args and also has "Reset the environment to a default set of variables" unless you modified the config.h file by hand.  Attached is the full output of "sudo -V" run as root.
Comment 4 Todd C. Miller 2011-04-12 12:15:13 MDT 
Created attachment 312 [details]
Output of "sudo -V" on FreeBSD 8.2 amd64 with env-reset disabled.
Comment 5 Greg Robinson 2011-04-12 21:08:24 MDT 
Hi Todd,

It's getting worse.  I noticed you had --with-insults and --with-ldap, I don't use ldap, so I re-updated my ports collection and tried the insults option in the ports Makefile.

From sudo -V, you have:

Allow some information gathering to give useful error messages
Insult the user when they enter an incorrect password
Visudo will honor the EDITOR environment variable

I have:

Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable

As you can see, no insults.  Reset env still remains as well.  And both options are indeed in the Configure args in the sudo -V output.

Question: did you update the OS and re-compile the world?  I have not done this yet, as I am still setting things up.  I will get a chance on the weekend.

What I would also like to do is send you my compiled source and binaries and configure script and let you look at them.  And possibly get your binaries and source and look at them as well.  I don't know what is going on here.
Comment 6 Todd C. Miller 2011-04-13 16:58:59 MDT 
Now I understand what is going on; I didn't noticed you had run "./sudo -V" as opposed to "sudo -V".  When you run "sudo -V" you get the configure arguments that the sudo binary was built with, but everything after the "Sudoers policy plugin version 1.8.1" comes from the _installed_ sudoers.so module, not the one you just built.  If you had done a "make install" (or even just "make install-plugin") first you would get the results you expected.  You just can't test the non-installed sudo that way.
Comment 7 Greg Robinson 2011-04-13 20:10:57 MDT 
Genius.

A make install fixed it.  Thankx for that.