diff --git a/WHATSNEW b/WHATSNEW index 38e16b463..562688a4b 100644 --- a/WHATSNEW +++ b/WHATSNEW @@ -42,9 +42,14 @@ What's new in Sudo 1.7.4? more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX) will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1). - * If env_reset is enabled in sudoers (the default), sudo will now set - the MAIL environment variable based on the target user unless MAIL is - explicitly preserved in sudoers. Previously MAIL was passed unchanged. + * The HOME and MAIL environment variables are now reset based on the + target user's password database entry when the env_reset sudoers option + is enabled (which is the case in the default configuration). Users + wishing to preserve the original values should use a sudoers entry like: + Defaults env_keep += HOME + to preserve the old value of HOME and + Defaults env_keep += MAIL + to preserve the old value of MAIL. What's new in Sudo 1.7.3? diff --git a/doc/UPGRADE b/doc/UPGRADE index 3e049d226..cde28f2a8 100644 --- a/doc/UPGRADE +++ b/doc/UPGRADE @@ -10,6 +10,15 @@ o Upgrading from a version prior to 1.7.4: system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this. + The HOME and MAIL environment variables are now reset based on the + target user's password database entry when the env_reset sudoers option + is enabled (which is the case in the default configuration). Users + wishing to preserve the original values should use a sudoers entry like: + Defaults env_keep += HOME + to preserve the old value of HOME and + Defaults env_keep += MAIL + to preserve the old value of MAIL. + o Upgrading from a version prior to 1.7.0: Starting with sudo 1.7.0, comments in the sudoers file must not diff --git a/doc/sudo.cat b/doc/sudo.cat index cc56f8bf6..021941a9d 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -186,10 +186,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -H The --HH (_H_O_M_E) option requests that the security policy set the HOME environment variable to the home directory of the target user (root by default) as specified by the password - database. + database. Depending on the policy, this may be the default + behavior. -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message - and exit. @@ -202,6 +202,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + and exit. + -i [command] The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell specified by the password database entry of the target user @@ -254,8 +256,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) messages and exit. -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to - preserve the invoking user's group vector unaltered. By - default, the _s_u_d_o_e_r_s policy will initialize the group @@ -268,6 +268,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + preserve the invoking user's group vector unaltered. By + default, the _s_u_d_o_e_r_s policy will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. @@ -320,8 +322,6 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) role. -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the - --ll option to specify the user whose privileges should be - listed. The security policy may restrict listing other @@ -334,6 +334,8 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + --ll option to specify the user whose privileges should be + listed. The security policy may restrict listing other users' privileges. The _s_u_d_o_e_r_s policy only allows root or a user with the ALL privilege on the current host to use this option. @@ -389,8 +391,6 @@ PPLLUUGGIINNSS - - 1.8.0b1 July 19, 2010 6 @@ -484,9 +484,10 @@ EENNVVIIRROONNMMEENNTT MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set to the mail spool of the target user - HOME In --ii, --ss or --HH mode (or if sudo was configured with - the --enable-shell-sets-home option), set to homedir of - the target user + HOME Set to the home directory of the target user if --ii or + --HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set + in _s_u_d_o_e_r_s, or when the --ss option is specified and + _s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s PATH May be overridden by the security policy. @@ -522,7 +523,6 @@ FFIILLEESS - 1.8.0b1 July 19, 2010 8 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index fd28e459e..fc9aeb373 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -345,6 +345,7 @@ root). In either case, the primary group will be set to \fIgroup\fR. The \fB\-H\fR (\fI\s-1HOME\s0\fR) option requests that the security policy set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home directory of the target user (root by default) as specified by the password database. +Depending on the policy, this may be the default behavior. .IP "\-h" 12 .IX Item "-h" The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. @@ -605,8 +606,10 @@ to the mail spool of the target user .ie n .IP "\*(C`HOME\*(C'" 16 .el .IP "\f(CW\*(C`HOME\*(C'\fR" 16 .IX Item "HOME" -In \fB\-i\fR, \fB\-s\fR or \fB\-H\fR mode (or if sudo was configured with the -\&\-\-enable\-shell\-sets\-home option), set to homedir of the target user +Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are +specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR, +or when the \fB\-s\fR option is specified and \fIset_home\fR is set in +\&\fIsudoers\fR .ie n .IP "\*(C`PATH\*(C'" 16 .el .IP "\f(CW\*(C`PATH\*(C'\fR" 16 .IX Item "PATH" diff --git a/doc/sudo.pod b/doc/sudo.pod index 918c02947..f138679cc 100644 --- a/doc/sudo.pod +++ b/doc/sudo.pod @@ -225,6 +225,7 @@ root). In either case, the primary group will be set to I. The B<-H> (I) option requests that the security policy set the C environment variable to the home directory of the target user (root by default) as specified by the password database. +Depending on the policy, this may be the default behavior. =item -h @@ -505,8 +506,10 @@ to the mail spool of the target user =item C -In B<-i>, B<-s> or B<-H> mode (or if sudo was configured with the ---enable-shell-sets-home option), set to homedir of the target user +Set to the home directory of the target user if B<-i> or B<-H> are +specified, I or I are set in I, +or when the B<-s> option is specified and I is set in +I =item C diff --git a/doc/sudoers.cat b/doc/sudoers.cat index d1260dcda..7d2c664f1 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -706,18 +706,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS BBoooolleeaann FFllaaggss: - always_set_home If set, ssuuddoo will set the HOME environment variable to - the home directory of the target user (which is root + always_set_home If enabled, ssuuddoo will set the HOME environment variable + to the home directory of the target user (which is root unless the --uu option is used). This effectively means - that the --HH option is always implied. This flag is _o_f_f - by default. + that the --HH option is always implied. Note that HOME + is already set when the the _e_n_v___r_e_s_e_t option is + enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for + configurations where _e_n_v___r_e_s_e_t is disabled. This flag + is _o_f_f by default. authenticate If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default may be overridden via - the PASSWD and NOPASSWD tags. This flag is _o_n by - default. - @@ -730,6 +730,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + the PASSWD and NOPASSWD tags. This flag is _o_n by + default. + closefrom_override If set, the user may use ssuuddoo's --CC option which overrides the default starting point at which ssuuddoo @@ -781,9 +784,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) fqdn Set this flag if you want to put fully qualified host names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you - would use myhost.mydomain.edu. You may still use the - short form if you wish (and even mix the two). Beware - that turning on _f_q_d_n requires ssuuddoo to make DNS lookups @@ -796,6 +796,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). Beware + that turning on _f_q_d_n requires ssuuddoo to make DNS lookups which may make ssuuddoo unusable if DNS stops working (for example if the machine is not plugged into the network). Also note that you must use the host's @@ -847,9 +850,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) does not enter the correct password. This flag is _o_f_f by default. - mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user exists in the _s_u_d_o_e_r_s file, but is not - allowed to run commands on the current host. This flag @@ -862,6 +862,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user exists in the _s_u_d_o_e_r_s file, but is not + allowed to run commands on the current host. This flag is _o_f_f by default. mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the @@ -914,9 +917,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) able to determine the length of the password being entered. This flag is _o_f_f by default. - requiretty If set, ssuuddoo will only run when the user is logged in - to a real tty. When this flag is set, ssuuddoo can only be - 1.8.0b1 July 19, 2010 14 @@ -928,6 +928,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + requiretty If set, ssuuddoo will only run when the user is logged in + to a real tty. When this flag is set, ssuuddoo can only be run from a login session and not via other means such as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by default. @@ -950,11 +952,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) instead of the password of the invoking user. This flag is _o_f_f by default. - set_home If set and ssuuddoo is invoked with the --ss option the HOME - environment variable will be set to the home directory - of the target user (which is root unless the --uu option - is used). This effectively makes the --ss option imply - --HH. This flag is _o_f_f by default. + set_home If enabled and ssuuddoo is invoked with the --ss option the + HOME environment variable will be set to the home + directory of the target user (which is root unless the + --uu option is used). This effectively makes the --ss + option imply --HH. Note that HOME is already set when + the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is + only effective for configurations where _e_n_v___r_e_s_e_t is + disabled. This flag is _o_f_f by default. set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME environment variables to the name of the target user @@ -977,11 +982,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) shell_noargs If set and ssuuddoo is invoked with no arguments it acts as if the --ss option had been given. That is, it runs a - shell as root (the shell is determined by the SHELL - environment variable if it is set, falling back on the - shell listed in the invoking user's /etc/passwd entry - if not). This flag is _o_f_f by default. - @@ -994,6 +994,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + shell as root (the shell is determined by the SHELL + environment variable if it is set, falling back on the + shell listed in the invoking user's /etc/passwd entry + if not). This flag is _o_f_f by default. + stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the target user (root by default). This option changes that behavior such that @@ -1043,11 +1048,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Normally, ssuuddoo uses a directory in the ticket dir with the same name as the user running it. With this flag enabled, ssuuddoo will use a file named for the tty the - user is logged in on in that directory. This flag is - _o_f_f by default. - - umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s - without modification. This makes it possible to @@ -1060,6 +1060,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + user is logged in on in that directory. This flag is + _o_f_f by default. + + umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s + without modification. This makes it possible to specify a more permissive umask in _s_u_d_o_e_r_s than the user's own umask and matches historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to @@ -1109,11 +1114,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) passwd_timeout Number of minutes before the ssuuddoo password prompt times out, or 0 for no timeout. The timeout may include a - fractional component if minute granularity is - insufficient, for example 2.5. The default is 5. - - timestamp_timeout - Number of minutes that can elapse before ssuuddoo will ask @@ -1126,6 +1126,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. + + timestamp_timeout + Number of minutes that can elapse before ssuuddoo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. Set @@ -1176,11 +1181,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) domain name (on if the machine's host name is fully qualified or the _f_q_d_n option is set) - %h expanded to the local host name without the domain - name - - %p expanded to the user whose password is being asked - 1.8.0b1 July 19, 2010 18 @@ -1192,6 +1192,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + %h expanded to the local host name without the domain + name + + %p expanded to the user whose password is being asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) @@ -1242,10 +1246,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a helper program used to read the user's password when no - terminal is available. This may be the case when ssuuddoo is - executed from a graphical (as opposed to text-based) - application. The program specified by _a_s_k_p_a_s_s should - display the argument passed to it as the prompt and write @@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + terminal is available. This may be the case when ssuuddoo is + executed from a graphical (as opposed to text-based) + application. The program specified by _a_s_k_p_a_s_s should + display the argument passed to it as the prompt and write the user's password to the standard output. The value of _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment variable. @@ -1308,10 +1312,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) lecture_file Path to a file containing an alternate ssuuddoo lecture that - will be used in place of the standard lecture if the named - file exists. By default, ssuuddoo uses a built-in lecture. - - listpw This option controls when a password will be required when @@ -1324,6 +1324,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + will be used in place of the standard lecture if the named + file exists. By default, ssuuddoo uses a built-in lecture. + + listpw This option controls when a password will be required when a user runs ssuuddoo with the --ll option. It has the following possible values: @@ -1374,10 +1378,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to local2. - verifypw This option controls when a password will be required when - a user runs ssuuddoo with the --vv option. It has the following - possible values: - @@ -1390,6 +1390,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + verifypw This option controls when a password will be required when + a user runs ssuuddoo with the --vv option. It has the following + possible values: + all All the user's _s_u_d_o_e_r_s entries for the current host must have the NOPASSWD flag set to avoid entering a password. @@ -1440,10 +1444,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment - ssuuddoo-spawned processes will receive. The argument may - be a double-quoted, space-separated list or a single - value without double-quotes. The list can be replaced, - added to, deleted from, or disabled by using the =, +=, @@ -1456,6 +1456,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + ssuuddoo-spawned processes will receive. The argument may + be a double-quoted, space-separated list or a single + value without double-quotes. The list can be replaced, + added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when ssuuddoo is run by root with the _-_V option. @@ -1506,10 +1510,6 @@ EEXXAAMMPPLLEESS Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns @@ -1522,6 +1522,10 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification @@ -1573,10 +1577,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on - any host but they must authenticate themselves first (since the entry - lacks the NOPASSWD tag). - 1.8.0b1 July 19, 2010 24 @@ -1588,6 +1588,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on + any host but they must authenticate themselves first (since the entry + lacks the NOPASSWD tag). + jack CSNETS = ALL The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias @@ -1638,10 +1642,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Users in the sseeccrreettaarriieess netgroup need to help manage the printers as well as add and remove users, so they are allowed to run those commands - on all machines. - - fred ALL = (DB) NOPASSWD: ALL - @@ -1654,6 +1654,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + on all machines. + + fred ALL = (DB) NOPASSWD: ALL + The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. @@ -1705,10 +1709,6 @@ SSEECCUURRIITTYY NNOOTTEESS bill ALL = ALL, !SU, !SHELLS - Doesn't really prevent bbiillll from running the commands listed in _S_U or - _S_H_E_L_L_S since he can simply copy those commands to a different name, or - use a shell escape from an editor or other program. Therefore, these - 1.8.0b1 July 19, 2010 26 @@ -1720,6 +1720,9 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). @@ -1772,9 +1775,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS If the resulting output contains a line that begins with: - File containing dummy exec functions: - - 1.8.0b1 July 19, 2010 27 @@ -1786,6 +1786,8 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + File containing dummy exec functions: + then ssuuddoo may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know @@ -1838,8 +1840,6 @@ SSEECCUURRIITTYY NNOOTTEESS writable directory. On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time - stamps that date from before the machine booted. - @@ -1852,6 +1852,8 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + stamps that date from before the machine booted. + Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a command with ssuuddoo after authenticating, logout, login again, and run @@ -1907,8 +1909,6 @@ DDIISSCCLLAAIIMMEERR - - 1.8.0b1 July 19, 2010 29 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index e78f195b4..c77b27ff2 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -828,9 +828,12 @@ grouped by type, are listed below. \&\fBBoolean Flags\fR: .IP "always_set_home" 16 .IX Item "always_set_home" -If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home -directory of the target user (which is root unless the \fB\-u\fR option is used). -This effectively means that the \fB\-H\fR option is always implied. +If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the +home directory of the target user (which is root unless the \fB\-u\fR +option is used). This effectively means that the \fB\-H\fR option is +always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the +\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only +effective for configurations where \fIenv_reset\fR is disabled. This flag is \fIoff\fR by default. .IP "authenticate" 16 .IX Item "authenticate" @@ -1021,10 +1024,13 @@ If set, \fBsudo\fR will prompt for the password of the user defined by the password of the invoking user. This flag is \fIoff\fR by default. .IP "set_home" 16 .IX Item "set_home" -If set and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR +If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR environment variable will be set to the home directory of the target user (which is root unless the \fB\-u\fR option is used). This effectively -makes the \fB\-s\fR option imply \fB\-H\fR. This flag is \fIoff\fR by default. +makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already +set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is +only effective for configurations where \fIenv_reset\fR is disabled. +This flag is \fIoff\fR by default. .IP "set_logname" 16 .IX Item "set_logname" Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR diff --git a/doc/sudoers.pod b/doc/sudoers.pod index d9c202bc3..83319a94d 100644 --- a/doc/sudoers.pod +++ b/doc/sudoers.pod @@ -689,9 +689,12 @@ B: =item always_set_home -If set, B will set the C environment variable to the home -directory of the target user (which is root unless the B<-u> option is used). -This effectively means that the B<-H> option is always implied. +If enabled, B will set the C environment variable to the +home directory of the target user (which is root unless the B<-u> +option is used). This effectively means that the B<-H> option is +always implied. Note that C is already set when the the +I option is enabled, so I is only +effective for configurations where I is disabled. This flag is I by default. =item authenticate @@ -910,10 +913,13 @@ password of the invoking user. This flag is I by default. =item set_home -If set and B is invoked with the B<-s> option the C +If enabled and B is invoked with the B<-s> option the C environment variable will be set to the home directory of the target user (which is root unless the B<-u> option is used). This effectively -makes the B<-s> option imply B<-H>. This flag is I by default. +makes the B<-s> option imply B<-H>. Note that C is already +set when the the I option is enabled, so I is +only effective for configurations where I is disabled. +This flag is I by default. =item set_logname diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c index f2006bc08..bfae6a1b7 100644 --- a/plugins/sudoers/env.c +++ b/plugins/sudoers/env.c @@ -193,7 +193,6 @@ static const char *initial_checkenv_table[] = { static const char *initial_keepenv_table[] = { "COLORS", "DISPLAY", - "HOME", "HOSTNAME", "KRB5CCNAME", "LS_COLORS", @@ -416,6 +415,7 @@ rebuild_env(int noexec) char **old_envp, **ep, *cp, *ps1; char idbuf[MAX_UID_T_LEN]; unsigned int didvar; + int reset_home = FALSE; /* * Either clean out the environment or reset to a safe default. @@ -430,6 +430,9 @@ rebuild_env(int noexec) memset(env.envp, 0, env.env_size * sizeof(char *)); #endif if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) { + /* Reset HOME based on target user unless keeping old value. */ + reset_home = TRUE; + /* Pull in vars we want to keep from the old environment. */ for (ep = old_envp; *ep; ep++) { int keepit; @@ -498,7 +501,6 @@ rebuild_env(int noexec) * on sudoers options). */ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { - sudo_setenv("HOME", runas_pw->pw_dir, ISSET(didvar, DID_HOME)); sudo_setenv("SHELL", runas_pw->pw_shell, ISSET(didvar, DID_SHELL)); sudo_setenv("LOGNAME", runas_pw->pw_name, ISSET(didvar, DID_LOGNAME)); @@ -506,8 +508,6 @@ rebuild_env(int noexec) sudo_setenv("USERNAME", runas_pw->pw_name, ISSET(didvar, DID_USERNAME)); } else { - if (!ISSET(didvar, DID_HOME)) - sudo_setenv("HOME", user_dir, FALSE); if (!ISSET(didvar, DID_SHELL)) sudo_setenv("SHELL", sudo_user.pw->pw_shell, FALSE); if (!ISSET(didvar, DID_LOGNAME)) @@ -530,6 +530,13 @@ rebuild_env(int noexec) sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE); } } else { + /* Reset HOME based on target user if configured to. */ + if (ISSET(sudo_mode, MODE_RUN)) { + if (def_always_set_home || ISSET(sudo_mode, MODE_RESET_HOME) || + (ISSET(sudo_mode, MODE_SHELL) && def_set_home)) + reset_home = TRUE; + } + /* * Copy environ entries as long as they don't match env_delete or * env_check. @@ -569,8 +576,7 @@ rebuild_env(int noexec) } /* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */ - /* XXX - not needed for MODE_LOGIN_SHELL */ - if (def_set_logname && runas_pw->pw_name) { + if (def_set_logname && !ISSET(sudo_mode, MODE_LOGIN_SHELL)) { if (!ISSET(didvar, KEPT_LOGNAME)) sudo_setenv("LOGNAME", runas_pw->pw_name, TRUE); if (!ISSET(didvar, KEPT_USER)) @@ -579,14 +585,9 @@ rebuild_env(int noexec) sudo_setenv("USERNAME", runas_pw->pw_name, TRUE); } - /* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */ - /* XXX - not needed for MODE_LOGIN_SHELL */ - if (runas_pw->pw_dir) { - if (ISSET(sudo_mode, MODE_RESET_HOME) || - (ISSET(sudo_mode, MODE_RUN) && (def_always_set_home || - (ISSET(sudo_mode, MODE_SHELL) && def_set_home)))) - sudo_setenv("HOME", runas_pw->pw_dir, TRUE); - } + /* Set $HOME to target user if not preserving user's value. */ + if (reset_home && !ISSET(didvar, KEPT_HOME)) + sudo_setenv("HOME", runas_pw->pw_dir, ISSET(didvar, DID_HOME)); /* Provide default values for $TERM and $PATH if they are not set. */ if (!ISSET(didvar, DID_TERM))