Bugzilla – Bug 1019
Always set $HOME to the target user's home directory - causing issue
Last modified: 2022-02-10 07:32:11 MST
As we notice due to below option added in 1.8.26 Sudo version ,we are experiencing issues with some sudo rules when updated from "Sudo version 1.7.4p6" to "1.8.26". Is there a way to disable this feature in sudoers config as i have already tried below option, but that's not effective/working. Defaults env_keep += "HOME" "Always set $HOME to the target user's home directory" Your help /support is much appreciated as we have multiple servers pending for update due to this issue. Thanks.
I'm not sure why preserving HOME would not work. Here's what I see when I add that to sudoers: $ sudo -V Sudo version 1.8.26 Sudoers policy plugin version 1.8.26 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.26 $ sudo printenv | grep HOME HOME=/root After adding: Defaults env_keep += "HOME" $ sudo printenv | grep HOME HOME=/home/millert You should verify that the line: Defaults env_keep += "HOME" occurs _after_ other Defaults lines that modify env_keep. Can you share the output of "sudo -l" for an affected user as well as the output of "sudo printenv | grep HOME"?
Thank you for the reply, please find below details. # printenv|grep HOME (output from root) HOME=/ # su - xxxxx (Below is my user level output, above is from root) $ printenv|grep HOME HOME=/users/xxxxx $ sudo -l Matching Defaults entries for XXXXX on YYYYYYYY: env_keep+=HOME, logfile=/var/adm/sudo.log, always_set_home User xxxxxx may run the following commands on YYYYYYY: (perf) NOPASSWD: /tmp/Abcdef*/test1.sh $ Below is the output from sudoers conf: (tried both ways keeping the original entry and now added the line at the end of line) # grep -i env /etc/sudoers ## You may wish to keep some of the following environment variables # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" # Defaults env_keep += "HOME" # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" # Defaults env_keep += "QTDIR KDEDIR" # Defaults env_keep += "XDG_SESSION_COOKIE" # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" Defaults env_keep += "HOME" # $ sudo -V Sudo version 1.8.26 Sudoers policy plugin version 1.8.26 Sudoers file grammar version 46 Sudoers I/O plugin version 1.8.26 $
You need to remove the "always_set_home" option from sudoers, that is what is setting HOME to the target user.
Thank you. I do not see any env variable in sudoers that is enabled to set 'always_set_home' >/# su - XXXXXX $ sudo -l Matching Defaults entries for XXXXXX on YYYYYYY: logfile=/var/adm/sudo.log, always_set_home User XXXXXX may run the following commands on YYYYYYY: (perf) NOPASSWD: /tmp/Abcdef*/test1.sh $ Also tried to disable the one which added "Defaults env_keep += "HOME"" to see if 'always_set_home" disappears from sudo -l for my ID, still its coming when i sudo -l from my ID. Not sure from where sudo is fetching the always_set_home . please advise. >/# cat /etc/sudoers|grep -i home ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find # Defaults env_keep += "HOME" #Defaults env_keep += "HOME" >/#
It may be set by default in your sudo binary, in which case you will need to explicitly disable it. Try adding: Defaults !always_set_home to sudoers.
Still its showing in sudo -l, not getting removed. / # cat /etc/sudoers|grep -i home ## Run X applications through sudo; HOME is used to find the ## .Xauthority file. Note that other programs use HOME to find # Defaults env_keep += "HOME" #Defaults env_keep += "HOME" Defaults !always_set_home / # / # su - XXXXXX $ $ $ sudo -l Matching Defaults entries for XXXXXX on YYYYYYY: !always_set_home, logfile=/var/adm/sudo.log, always_set_home User XXXXXX may run the following commands on YYYYYYY: (perf) NOPASSWD: /tmp/Abcdef*/test1 $ exit / #
That indicates that always_set_home is being set later on. Are there any include files that could be setting it?
As shown below, i do not see any thing in the sudoers file locally in the server. / # cat /etc/sudoers|grep -i include ## Groups of machines. These may include host names (optionally with wildcards), #includedir /etc/sudoers.d / # cd /etc/sudoers.d /etc/sudoers.d # ls -ltr total 0 /etc/sudoers.d #
Sorry, I don't see how always_set_home could be enabled unless there is a line in sudoers that explicitly sets it. You could move the: Defaults !always_set_home line to the very end of the sudoers file and see if that changes the behavior.
I still see the same behavior (always_set_home is not getting removed or unable to overwrite this parameter) / # cat /etc/sudoers|tail Defaults !always_set_home / # / # su - XXXXXX $ sudo -l Matching Defaults entries for XXXXXX on YYYYYYY: !always_set_home, logfile=/var/adm/sudo.log, always_set_home User XXXXXX may run the following commands on YYYYYYY: (perf) NOPASSWD: /tmp/Abcdef*/test1