Bug 805 – Double sudo no longer sets USER environment variable

Bug 805 - Double sudo no longer sets USER environment variable


Summary:	Double sudo no longer sets USER environment variable

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.20
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-09-25 05:56 MDT by Marek Tamaskovic
Modified:	2018-08-30 12:52 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marek Tamaskovic 2017-09-25 05:56:10 MDT

Description of problem:
When sudo is used to switch user, the environment variable USER is set with the new username. After the latest security patch, this appears to have broken when sudo is used twice in a row, eg userA sudos to userB, which then sudos to userC - after the final sudo the USER environment variable is still equal to userB not userC as expected.

This behaviour worked correctly on earlier patch versions of sudo on RHEL7

Version-Release number of selected component (if applicable):
sudo.x86_64 1.8.19p2-10.el7

How reproducible:
Completely reproducible

Steps to Reproduce:
1. On a system create 2 users, userA and userB. root will be used as the third user, but the specific users do not matter
2. Add the following to the sudoers file

userA ALL=(ALL) ALL

2. Login to the system as userA
3. Run the following commands as per actual results. Notice the final echo $USER outputs the wrong username. It doesn't seem to matter which users are used, as long as sudo is invoked twice.

Actual results:

[userA@system ~] echo $USER
usera
[userA@system ~] sudo -s
[root@system ~] echo $USER
root
[root@system ~] sudo -s -u userB
[userB@system ~] echo $USER
root


Expected results:
On a system with an older version of sudo the following is observed:

[userA@system ~] echo $USER
usera
[userA@system ~] sudo -s
[root@system ~] echo $USER
root
[root@system ~] sudo -s -u userB
[userB@system ~] echo $USER
userB


Additional info:
env_reset is set and env_keep does not contain USER as per the defaults in /etc/sudoers.

Comment 1 Todd C. Miller 2017-09-25 07:33:54 MDT

It looks like this is due to RedHat adding USERNAME to env_keep in the default sudoers file you ship.

Comment 2 Todd C. Miller 2017-09-26 15:15:36 MDT

Here's what is happening:

1) sudo is invoked without USERNAME set

2) sudo executes the other sudo command, setting LOGNAME, USER and USERNAME to the name of target user

3) the second sudo preserves USERNAME as per sudoers, which is set to the name of the user the first sudo ran as (root in your example)

4) sudo also preserves LOGNAME and USER to avoid having LOGNAME, USER and USERNAME be inconsistent.

Sudo is behaving as intended, though the behavior with respect to keeping LOGNAME, USER and USERNAME be consistent is not well documented.

It would probably be less surprising if sudo were to preserve USER and LOGNAME too if USERNAME is listed in env_keep.

Comment 3 Todd C. Miller 2018-08-30 12:52:33 MDT

I'm considering removing the handling of the USERNAME environment variable in sudo 1.8.26.  It was added a long time ago when Fedora used to set USERNAME to the same value as LOGNAME and USER.

That's no longer the case and sshd doesn't set USERNAME either so I think it is safe for sudo to drop it as well.  This will make it possible to have more consistent handling of LOGNAME and USER in sudo.