[sudo-users] Unexpected Behavior with env_reset, sudo -E, and NOPASSWD
Chris Hiestand
chiestand at salk.edu
Mon Feb 4 21:14:43 EST 2013
I'm by no means an expert on sudo, but I perceive this behavior to be odd.
Can someone please either explain to me what is happening, or verify there is a bug?
This environment has sudo 1.8.5p2-1 on Debian Wheezy.
sudoers 1 (the complete two line file):
> Defaults env_reset
> %sudo ALL=(ALL) ALL
Behavior 1:
> #admin is a member of %sudo
> admin at test:/tmp$ sudo -E ls /bin/bash
> /bin/bash
Question 1, regarding this scenario:
Should sudo allow the command to run with -E even though SETENV and setenv have not been specified in sudoers? I would guess not.
sudoers 2 (3 lines total):
> Defaults env_reset
> %sudo ALL=(ALL) ALL
> %sudo ALL=(root) NOPASSWD: /bin/ls
Behavior 2:
> admin at test:/tmp$ sudo -E ls /bin/bash
> sudo: sorry, you are not allowed to preserve the environment
Question 2, regarding sudoers2:
Why should NOPASSWD silently imply NOSETENV? So it seems like something about NOPASSWD actually fixes the broken behavior in sudoers1.
sudoers 3 (4 lines total):
> Defaults env_reset
> %sudo ALL=(ALL) ALL
> %sudo ALL=(root) NOPASSWD: /bin/ls
> %sudo ALL=(root) SETENV: /bin/ls
Behavior 3:
> admin at test:/tmp$ sudo -E ls /bin/bash
> /bin/bash
Comment 3:
At least this behavior was expected.
Thanks. For reference, here is the output of sudo -V:
> Sudo version 1.8.5p2
> Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-timedir=/var/lib/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-selinux
> Sudoers policy plugin version 1.8.5p2
> Sudoers file grammar version 41
>
> Sudoers path: /etc/sudoers
> Authentication methods: 'pam'
> Syslog facility if syslog is being used for logging: authpriv
> Syslog priority to use when user authenticates successfully: notice
> Syslog priority to use when user authenticates unsuccessfully: alert
> Send mail if the user is not in sudoers
> Use a separate timestamp for each user/tty combo
> Lecture user the first time they run sudo
> Require users to authenticate by default
> Root may run sudo
> Allow some information gathering to give useful error messages
> Require fully-qualified hostnames in the sudoers file
> Visudo will honor the EDITOR environment variable
> Set the LOGNAME and USER environment variables
> Length at which to wrap log file lines (0 for no wrap): 80
> Authentication timestamp timeout: 15.0 minutes
> Password prompt timeout: 0.0 minutes
> Number of tries to enter a password: 3
> Umask to use or 0777 to use user's: 022
> Path to mail program: /usr/sbin/sendmail
> Flags for mail program: -t
> Address to send mail to: root
> Subject line for mail messages: *** SECURITY information for %h ***
> Incorrect password message: Sorry, try again.
> Path to authentication timestamp dir: /var/lib/sudo
> Default password prompt: [sudo] password for %p:
> Default user to run commands as: root
> Path to the editor for use by visudo: /usr/bin/editor
> When to require a password for 'list' pseudocommand: any
> When to require a password for 'verify' pseudocommand: all
> File descriptors >= 3 will be closed before executing a command
> Reset the environment to a default set of variables
> Environment variables to check for sanity:
> TERM
> LINGUAS
> LC_*
> LANGUAGE
> LANG
> COLORTERM
> Environment variables to remove:
> RUBYOPT
> RUBYLIB
> PYTHONUSERBASE
> PYTHONINSPECT
> PYTHONPATH
> PYTHONHOME
> TMPPREFIX
> ZDOTDIR
> READNULLCMD
> NULLCMD
> FPATH
> PERL5DB
> PERL5OPT
> PERL5LIB
> PERLLIB
> PERLIO_DEBUG
> JAVA_TOOL_OPTIONS
> SHELLOPTS
> GLOBIGNORE
> PS4
> BASH_ENV
> ENV
> TERMCAP
> TERMPATH
> TERMINFO_DIRS
> TERMINFO
> _RLD*
> LD_*
> PATH_LOCALE
> NLSPATH
> HOSTALIASES
> RES_OPTIONS
> LOCALDOMAIN
> CDPATH
> IFS
> Environment variables to preserve:
> XAUTHORIZATION
> XAUTHORITY
> TZ
> PS2
> PS1
> PATH
> LS_COLORS
> KRB5CCNAME
> HOSTNAME
> DISPLAY
> COLORS
> Locale to use while parsing sudoers: C
> Directory in which to store input/output logs: /var/log/sudo-io
> File in which to store the input/output log: %{seq}
> Add an entry to the utmp/utmpx file when allocating a pty
>
> Local IP address and netmask pairs:
> 192.168.1.3/255.255.255.0
>
> Sudoers I/O plugin version 1.8.5p2
More information about the sudo-users
mailing list