1

I came across some readings about how allowing environment variables to be passed to root when sudoing is a security concern. This led me to check my environment to make sure I had the proper setup.

I am on Ubuntu and have the default sudoers file which includes:

Defaults        env_reset
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
...
%sudo   ALL=(ALL:ALL) ALL

From what I have read, it seems that the env_reset should strip out environment variables from the sudo session (unless overrode with env_keep or SETENV), but that does not seem to be happening.

$ sudo -u root echo $TERM
xterm-256color
$ export TERM=BLAH
$ sudo -u root echo $TERM
BLAH

This occurs with every environment variable I have tried. Is this a security concern? If so, how would I alleviate it? If not, why not (I was given to understand that someone could use this to tweak PATH to run malicious code as root)?

I do not have any files in my sudoers.d directory.

Edit:

It seems that the shell was expanding the variables before switching users in the example above. However, when I start an interactive shell, I get the same thing:

$ echo $TERM
xterm-256color
$ export TERM=BLAH
$ sudo -i         
# echo $TERM
BLAH

When I run the above snippet with HOME or PATH, however, those variables are reset, which matches what I expect from the documentation.

The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options.

However, TERM is in that list, and you can see I was able to pass it to root, and it seems this works for other arbitrary variables as well.

Improve this question
1
  • Those variables listed in the sudoers documentation that you quote get a special treatment. I believe that TERM is actually preserved from the caller's environment. What is a bit surprising, and can't replicate on my end, is the preservation of other arbitrary variables as well. What result do you get if you run the following? export TEST=blah; sudo -i sh -c 'echo $TEST'
    – mesr
    Commented Jul 18, 2022 at 14:46

1 Answer 1

Reset to default
0

The interpretation of $TERM is being done by the parent shell, before sudo is even run, as you could see by prefacing your command with echo:

echo sudo echo $TERM

You could "escape" the $ with \ to delay interpretation one level:

sudo echo \$TERM

Read man sudo sudoers bash.

Improve this answer
2
  • yes, as noted in my edit, I realized that, but even with switching to a sudo shell, the value of TERM persists. I have read through the sudoers man page, and in fact linked it in my edit, and this question exists because what i see doesn't seem to match what is described.
    – Augustine Calvino
    Commented Feb 23, 2022 at 18:43
  • The TERM environment variable is used as a key into a database of terminal characteristics (cursor movement, character colors, magic "escape" sequences, ...). It doesn't change when one becomes root - it's the same terminal (terminal emulator). In the old days, when serial terminals each had their own set of magic characters, and magic behaviors, TERM was more useful. If one subverts TERM, all you get is a poorly configured glass keypunch. Try TERM=something sudo echo \$TERM.
    – waltinator
    Commented Feb 23, 2022 at 21:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .