Bugzilla – Bug 430
env_reset / always_set_home regression
Last modified: 2010-08-18 19:15:45 MDT
NB: I have read UPGRADE and this change in behaviour is not described therein. It looks very much like a regression. I updated sudo from 1.7.3 to 1.7.4p2 (1.7.4.2_1 in FreeBSD Ports) and encountered a behaviour regression. My sudoers contained: Defaults !env_reset,always_set_home ie: don't reset the env, but do always set HOME. This achieved the security position I wanted, and which the recent changes appear to have been focused towards. With 1.7.3, this worked. with 1.7.4p2, HOME is no longer set, and so the update has resulted in a behaviour regression (with security impact).
The HOME variable is being set but the old value is not being overwritten so you end up with two HOME variables in the environment. I've attached a patch that fixes this,
Created attachment 286 [details] Fix for duplicate HOME when always_reset_home and !env_reset
Oh indeed. The shell is de-duping and so for zsh, the original is kept, whereas FreeBSD /bin/sh is keeping the new value. Ugh. sudo /usr/bin/env proves it; thanks for the speedy diagnosis! Patch confirmed to work for me.
Fixed in sudo 1.7.4p3, available now.