Bug 584

Summary: Wrong MAIL environment variable (qmail-style)
Product: Sudo Reporter: chtimi
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: belotton+sudo
Priority: low    
Version: 1.8.7   
Hardware: PC   
OS: Linux   

Description chtimi 2013-01-16 11:19:12 MST 
If MAIL environment variable has to be set to the target user, the value is set from PATH_MAILDIR (plugins/sudoers/env.c, lines 857/864).

PATH_MAILDIR is defined into the file confdefs.h by the configure script :

for d in /var/mail /var/spool/mail /usr/spool/mail; do
	    if test -d "$d"; then
		maildir=yes
		cat >>confdefs.h <<EOF
#define _PATH_MAILDIR "$d"
EOF

In case mails are stored using qmail-style (under ~/Maildir) the correct value of MAIL can not be determined by sudo.

File /etc/sudoers :
Defaults	env_reset
# User privilege specification
root		ALL=(ALL) ALL
tunnels		ALL=(ALL) NOPASSWD: /sbin/iptables	
%sudo		ALL=(ALL) ALL

"su" command :
$ su
Password:
# echo $MAIL
/root/Maildir

"sudo -s" command :
$ sudo -s
[sudo] password for xxxxxx: 
# echo $MAIL
/var/mail/root
Comment 1 Todd C. Miller 2013-08-17 06:35:18 MDT 
There's no good way for sudo to figure this out itself.  On Linux the pam_mail module is responsible for setting the MAIL environment variable.

Two things are needed to make this work.

1) /etc/pam.d/sudo needs something like this (copied from /etc/pam.d/su)
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen dir=~/Maildir

2) sudo needs to allow PAM environment variable settings to override existing settings.  Just taking whatever PAM gives us will break sudo's environment handling (env_keep, etc).

I've just checked in changes for #2 which will be included in sudo 1.8.8b2.
Comment 2 Todd C. Miller 2013-09-30 09:33:42 MDT 
Fixed in sudo 1.8.8, assuming pam is configured properly.
Comment 3 Tony B. 2013-11-18 09:18:53 MST 
Hi,

It seems that the issue is not resolved.

The MAIL environment variable is still /var/mail/root, even if /etc/pam.d/sudo has the line you mentionned (i.e. pam_mail.so dir=~/Maildir).

What about the lines 864-871 of plugins/sudoers/env.c ?
Comment 4 Todd C. Miller 2013-11-18 09:42:35 MST 
Works for me on Ubuntu 13.04.  Here's what my /etc/pam.d/sudo looks like:

#%PAM-1.0

# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen dir=~/Maildir debug

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so

$ sudo -s
# echo $MAIL
/root/Maildir

The pam_mail.so line will overwrite the default value for MAIL that was set by env.c.
Comment 5 Tony B. 2013-11-18 10:07:17 MST 
Oups, I forgot to run configure with the argument --with-pam.

Sorry :)