[sudo-users] Unexpected Behavior with env_reset, sudo -E, and NOPASSWD

Chris Hiestand chiestand at salk.edu
Mon Feb 4 21:14:43 EST 2013 

I'm by no means an expert on sudo, but I perceive this behavior to be odd.
Can someone please either explain to me what is happening, or verify there is a bug?

This environment has sudo 1.8.5p2-1 on Debian Wheezy.


sudoers 1 (the complete two line file):

> Defaults  env_reset
> %sudo ALL=(ALL) ALL

Behavior 1:

> #admin is a member of %sudo
> admin at test:/tmp$ sudo -E ls /bin/bash
> /bin/bash

Question 1, regarding this scenario:
Should sudo allow the command to run with -E even though SETENV and setenv have not been specified in sudoers? I would guess not.




sudoers 2 (3 lines total):

> Defaults  env_reset
> %sudo ALL=(ALL) ALL
> %sudo ALL=(root) NOPASSWD: /bin/ls

Behavior 2:
> admin at test:/tmp$ sudo -E ls /bin/bash
> sudo: sorry, you are not allowed to preserve the environment

Question 2, regarding sudoers2:
Why should NOPASSWD silently imply NOSETENV? So it seems like something about NOPASSWD actually fixes the broken behavior in sudoers1.




sudoers 3 (4 lines total):

> Defaults  env_reset
> %sudo ALL=(ALL) ALL
> %sudo ALL=(root) NOPASSWD: /bin/ls
> %sudo ALL=(root) SETENV: /bin/ls

Behavior 3:
> admin at test:/tmp$ sudo -E ls /bin/bash
> /bin/bash

Comment 3:
At least this behavior was expected.


Thanks. For reference, here is the output of sudo -V:
> Sudo version 1.8.5p2
> Configure options: --prefix=/usr -v --with-all-insults --with-pam --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p:  --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-timedir=/var/lib/sudo --mandir=/usr/share/man --libexecdir=/usr/lib/sudo --with-selinux
> Sudoers policy plugin version 1.8.5p2
> Sudoers file grammar version 41
> 
> Sudoers path: /etc/sudoers
> Authentication methods: 'pam'
> Syslog facility if syslog is being used for logging: authpriv
> Syslog priority to use when user authenticates successfully: notice
> Syslog priority to use when user authenticates unsuccessfully: alert
> Send mail if the user is not in sudoers
> Use a separate timestamp for each user/tty combo
> Lecture user the first time they run sudo
> Require users to authenticate by default
> Root may run sudo
> Allow some information gathering to give useful error messages
> Require fully-qualified hostnames in the sudoers file
> Visudo will honor the EDITOR environment variable
> Set the LOGNAME and USER environment variables
> Length at which to wrap log file lines (0 for no wrap): 80
> Authentication timestamp timeout: 15.0 minutes
> Password prompt timeout: 0.0 minutes
> Number of tries to enter a password: 3
> Umask to use or 0777 to use user's: 022
> Path to mail program: /usr/sbin/sendmail
> Flags for mail program: -t
> Address to send mail to: root
> Subject line for mail messages: *** SECURITY information for %h ***
> Incorrect password message: Sorry, try again.
> Path to authentication timestamp dir: /var/lib/sudo
> Default password prompt: [sudo] password for %p: 
> Default user to run commands as: root
> Path to the editor for use by visudo: /usr/bin/editor
> When to require a password for 'list' pseudocommand: any
> When to require a password for 'verify' pseudocommand: all
> File descriptors >= 3 will be closed before executing a command
> Reset the environment to a default set of variables
> Environment variables to check for sanity:
> 	TERM
> 	LINGUAS
> 	LC_*
> 	LANGUAGE
> 	LANG
> 	COLORTERM
> Environment variables to remove:
> 	RUBYOPT
> 	RUBYLIB
> 	PYTHONUSERBASE
> 	PYTHONINSPECT
> 	PYTHONPATH
> 	PYTHONHOME
> 	TMPPREFIX
> 	ZDOTDIR
> 	READNULLCMD
> 	NULLCMD
> 	FPATH
> 	PERL5DB
> 	PERL5OPT
> 	PERL5LIB
> 	PERLLIB
> 	PERLIO_DEBUG 
> 	JAVA_TOOL_OPTIONS
> 	SHELLOPTS
> 	GLOBIGNORE
> 	PS4
> 	BASH_ENV
> 	ENV
> 	TERMCAP
> 	TERMPATH
> 	TERMINFO_DIRS
> 	TERMINFO
> 	_RLD*
> 	LD_*
> 	PATH_LOCALE
> 	NLSPATH
> 	HOSTALIASES
> 	RES_OPTIONS
> 	LOCALDOMAIN
> 	CDPATH
> 	IFS
> Environment variables to preserve:
> 	XAUTHORIZATION
> 	XAUTHORITY
> 	TZ
> 	PS2
> 	PS1
> 	PATH
> 	LS_COLORS
> 	KRB5CCNAME
> 	HOSTNAME
> 	DISPLAY
> 	COLORS
> Locale to use while parsing sudoers: C
> Directory in which to store input/output logs: /var/log/sudo-io
> File in which to store the input/output log: %{seq}
> Add an entry to the utmp/utmpx file when allocating a pty
> 
> Local IP address and netmask pairs:
> 	192.168.1.3/255.255.255.0
> 
> Sudoers I/O plugin version 1.8.5p2

More information about the sudo-users mailing list