I came across some readings about how allowing environment variables to be passed to root when sudoing is a security concern. This led me to check my environment to make sure I had the proper setup.
I am on Ubuntu and have the default sudoers file which includes:
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
...
%sudo ALL=(ALL:ALL) ALL
From what I have read, it seems that the env_reset
should strip out environment variables from the sudo session (unless overrode with env_keep or SETENV), but that does not seem to be happening.
$ sudo -u root echo $TERM
xterm-256color
$ export TERM=BLAH
$ sudo -u root echo $TERM
BLAH
This occurs with every environment variable I have tried. Is this a security concern? If so, how would I alleviate it? If not, why not (I was given to understand that someone could use this to tweak PATH
to run malicious code as root)?
I do not have any files in my sudoers.d
directory.
Edit:
It seems that the shell was expanding the variables before switching users in the example above. However, when I start an interactive shell, I get the same thing:
$ echo $TERM
xterm-256color
$ export TERM=BLAH
$ sudo -i
# echo $TERM
BLAH
When I run the above snippet with HOME
or PATH
, however, those variables are reset, which matches what I expect from the documentation.
The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options.
However, TERM
is in that list, and you can see I was able to pass it to root, and it seems this works for other arbitrary variables as well.
export TEST=blah; sudo -i sh -c 'echo $TEST'