Bug 805

Summary: Double sudo no longer sets USER environment variable
Product: Sudo Reporter: Marek Tamaskovic <mtamasko>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.20   
Hardware: PC   
OS: Linux   

Description Marek Tamaskovic 2017-09-25 05:56:10 MDT 
Description of problem:
When sudo is used to switch user, the environment variable USER is set with the new username. After the latest security patch, this appears to have broken when sudo is used twice in a row, eg userA sudos to userB, which then sudos to userC - after the final sudo the USER environment variable is still equal to userB not userC as expected.

This behaviour worked correctly on earlier patch versions of sudo on RHEL7

Version-Release number of selected component (if applicable):
sudo.x86_64 1.8.19p2-10.el7

How reproducible:
Completely reproducible

Steps to Reproduce:
1. On a system create 2 users, userA and userB. root will be used as the third user, but the specific users do not matter
2. Add the following to the sudoers file

userA ALL=(ALL) ALL

2. Login to the system as userA
3. Run the following commands as per actual results. Notice the final echo $USER outputs the wrong username. It doesn't seem to matter which users are used, as long as sudo is invoked twice.

Actual results:

[userA@system ~] echo $USER
usera
[userA@system ~] sudo -s
[root@system ~] echo $USER
root
[root@system ~] sudo -s -u userB
[userB@system ~] echo $USER
root


Expected results:
On a system with an older version of sudo the following is observed:

[userA@system ~] echo $USER
usera
[userA@system ~] sudo -s
[root@system ~] echo $USER
root
[root@system ~] sudo -s -u userB
[userB@system ~] echo $USER
userB


Additional info:
env_reset is set and env_keep does not contain USER as per the defaults in /etc/sudoers.
Comment 1 Todd C. Miller 2017-09-25 07:33:54 MDT 
It looks like this is due to RedHat adding USERNAME to env_keep in the default sudoers file you ship.
Comment 2 Todd C. Miller 2017-09-26 15:15:36 MDT 
Here's what is happening:

1) sudo is invoked without USERNAME set

2) sudo executes the other sudo command, setting LOGNAME, USER and USERNAME to the name of target user

3) the second sudo preserves USERNAME as per sudoers, which is set to the name of the user the first sudo ran as (root in your example)

4) sudo also preserves LOGNAME and USER to avoid having LOGNAME, USER and USERNAME be inconsistent.

Sudo is behaving as intended, though the behavior with respect to keeping LOGNAME, USER and USERNAME be consistent is not well documented.

It would probably be less surprising if sudo were to preserve USER and LOGNAME too if USERNAME is listed in env_keep.
Comment 3 Todd C. Miller 2018-08-30 12:52:33 MDT 
I'm considering removing the handling of the USERNAME environment variable in sudo 1.8.26.  It was added a long time ago when Fedora used to set USERNAME to the same value as LOGNAME and USER.

That's no longer the case and sshd doesn't set USERNAME either so I think it is safe for sudo to drop it as well.  This will make it possible to have more consistent handling of LOGNAME and USER in sudo.