Debian Bug report logs - #639841
sudo: secure_path change needs a NEWS entry

version graph

Package: sudo; Maintainer for sudo is Bdale Garbee <bdale@gag.com>; Source for sudo is src:sudo.

Reported by: Bob Proulx <bob@proulx.com>

Date: Tue, 30 Aug 2011 19:48:02 UTC

Severity: normal

Found in version sudo/1.8.2-1

Fixed in version 1.8.2-2

Done: Ben Hutchings <ben@decadent.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#639841; Package sudo. (Tue, 30 Aug 2011 19:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bob Proulx <bob@proulx.com>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. (Tue, 30 Aug 2011 19:48:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bob Proulx <bob@proulx.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sudo: secure_path change needs a NEWS entry
Date: Tue, 30 Aug 2011 13:46:54 -0600
Package: sudo
Version: 1.8.2-1
Severity: normal

The latest version closes Bug#85123 and Bug#85917.  However the
resulting change in behavior of secure_path is significant and needs a
NEWS entry.  Most users with sudo installed will have a modified
/etc/sudoers file and will need to manually merge a secure_path entry
into the file.  If not then it will break anyone who already has a
customized /etc/sudoers file, fails to notice this change, and doesn't
merge in the new package maintainer's version when upgrading, and does
not include sbin paths in their user PATH.  At that point they will
have two problems.

1. If their user path did not include the /usr/sbin:/sbin directories
   then the sudo path won't either and commands such as apt will fail
   to find their utilities.  For example the following errors to make
   this found by search engines:
     dpkg: warning: 'ldconfig' not found in PATH or not executable.
     dpkg: warning: 'start-stop-daemon' not found in PATH or not executable.
     dpkg: error: 2 expected programs not found in PATH or not executable.
     Note: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

2. If the user path is insecure then they will now have an insecure
   root path.  Arguably this is under their control.  But the change
   should be more visible than it is now.

Let me suggest the following NEWS entry, or something similar:

sudo (1.8.2-1) unstable; urgency=low

  The default setting for secure_path has been changed.  The new
  setting is off by default.  Previously it was not possible to unset
  secure_path and the compiled in value was used by default.  It was
  only possible to change the value of it.  See Bug#85123 and
  Bug#85917.  Now if the administrator desires to have it unset they
  need only to avoid setting it.  To preserve the previous behavior in
  new installs a new setting of secure_path with a default path has
  been added to /etc/sudoers.  But that only handles new
  installations.  If you have a customized conffile, most do, and you
  wish to preserve the previous behavior, most will, then action is
  needed on your part.  You will need to merge entries of these files
  to include a secure_path setting into your /etc/sudoers file.

Alternatively the sudo package could include a new conffile file in
the package /etc/sudoers.d/00-secure_path or some such that includes
the new secure_path setting.  Being a new file it would be installed
by default without dialog and become available.  Being a conffile if
an admin desired it to not be set then they could edit that file and
unset it.  I don't like the proliferation of packaged conffiles in
that directory but that might be a solution.  But in that case a new
NEWS entry would be needed.  :-)

Bob




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#639841; Package sudo. (Tue, 30 Aug 2011 21:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frank M <mccfrank@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Tue, 30 Aug 2011 21:03:04 GMT) Full text and rfc822 format available.

Message #10 received at 639841@bugs.debian.org (full text, mbox):

From: Frank M <mccfrank@gmail.com>
To: 639841@bugs.debian.org
Subject: Sudo bugs
Date: Tue, 30 Aug 2011 16:59:46 -0400
It bit me - until I saw this discussion I went into my /etc/profile
and added the needed directories to ensure
all needed programs could be found.

-- 
---Frank McCormick---
     ---Montreal---




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#639841; Package sudo. (Tue, 30 Aug 2011 22:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Tue, 30 Aug 2011 22:24:03 GMT) Full text and rfc822 format available.

Message #15 received at submit@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Bob Proulx <bob@proulx.com>, 639841@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#639841: sudo: secure_path change needs a NEWS entry
Date: Tue, 30 Aug 2011 16:21:10 -0600
[Message part 1 (text/plain, inline)]
On Tue, 30 Aug 2011 13:46:54 -0600, Bob Proulx <bob@proulx.com> wrote:
> Alternatively the sudo package could include a new conffile file in
> the package /etc/sudoers.d/00-secure_path or some such that includes
> the new secure_path setting.  Being a new file it would be installed
> by default without dialog and become available.

The problem with this idea is that the include directive was only
recently added to the default Debian sudoers file, and so many systems
with customized sudoers files might remain broken.

The solution I'd like best but haven't made time to try and work out yet
is for the binary to have a default secure_path, but still allow
secure_path to be overridden in the sudoers file.  I'm about to head out
the door for a week in which I'm unlikely to have time to work on this,
so if you or anyone else want to figure out if some combination of
existing configure arguments or a simple patch might allow this to be
implemented, that'd be great!

Oh, and thanks for the proposed NEWS entry text, I agree that given the
reaction to this change so far, some notice is warranted, and will plan
to merge this or something like it for the next upload.

Bdale
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#639841; Package sudo. (Tue, 30 Aug 2011 22:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Tue, 30 Aug 2011 22:24:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#639841; Package sudo. (Tue, 30 Aug 2011 22:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bob Proulx <bob@proulx.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Tue, 30 Aug 2011 22:33:03 GMT) Full text and rfc822 format available.

Message #25 received at 639841@bugs.debian.org (full text, mbox):

From: Bob Proulx <bob@proulx.com>
To: Bdale Garbee <bdale@gag.com>
Cc: 639841@bugs.debian.org
Subject: Re: Bug#639841: sudo: secure_path change needs a NEWS entry
Date: Tue, 30 Aug 2011 16:31:37 -0600
[Message part 1 (text/plain, inline)]
Bdale Garbee wrote:
> Bob Proulx wrote:
> > Alternatively the sudo package could include a new conffile file in
> > the package /etc/sudoers.d/00-secure_path or some such that includes
> > the new secure_path setting.  Being a new file it would be installed
> > by default without dialog and become available.
> 
> The problem with this idea is that the include directive was only
> recently added to the default Debian sudoers file, and so many systems
> with customized sudoers files might remain broken.

Sorry but I don't understand.  How would setting secure_path in a new
sudoers.d file create a situation where a system would remain broken?
Could you list an example of what you are talking about in order to
make it concrete?

It isn't really a solution I prefer.  But any method to keep
secure_path set by default but allow a local admin to unset it would
be fine.  I just couldn't think of any better way than a new file.
There doesn't seem to be a way to !secure_path with it defaulted
unless I missed something.  That was Bug#85123 of course.

But note that the NEWS entry is my first choice.  Personally I am okay
with it as long as I know about it.  Of course I would prefer not to
have to take action to keep the status quo but sometimes it is
necessary and I will go with the flow if this is one of them.  But I
just know that users will be bitten by this and I just helped on such
user on debian-user who ran headlong into this problem so there will
be others.

> The solution I'd like best but haven't made time to try and work out yet
> is for the binary to have a default secure_path, but still allow
> secure_path to be overridden in the sudoers file.  I'm about to head out
> the door for a week in which I'm unlikely to have time to work on this,
> so if you or anyone else want to figure out if some combination of
> existing configure arguments or a simple patch might allow this to be
> implemented, that'd be great!

I already gave it my brain cells and was unable to propose any better
solution.  But I will think about it and respond if I can produce any
better suggestion.

> Oh, and thanks for the proposed NEWS entry text, I agree that given the
> reaction to this change so far, some notice is warranted, and will plan
> to merge this or something like it for the next upload.

Thanks!
Bob
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#639841; Package sudo. (Sun, 04 Sep 2011 06:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Sun, 04 Sep 2011 06:09:05 GMT) Full text and rfc822 format available.

Message #30 received at 639841@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Bob Proulx <bob@proulx.com>
Cc: 639841@bugs.debian.org
Subject: Re: Bug#639841: sudo: secure_path change needs a NEWS entry
Date: Sun, 04 Sep 2011 01:05:37 -0500
[Message part 1 (text/plain, inline)]
On Tue, 30 Aug 2011 16:31:37 -0600, Bob Proulx <bob@proulx.com> wrote:
Non-text part: multipart/signed
> Sorry but I don't understand.  How would setting secure_path in a new
> sudoers.d file create a situation where a system would remain broken?

The only reason files in sudoers.d get read is that I added an include
directive to the template /etc/sudoers a while back:

          #includedir /etc/sudoers.d

But if someone already has an /etc/sudoers from before that directive
was added, and is choosing not to keep up with my changes, then putting
more files in /etc/sudoers.d will have no effect at all, and they will
still be impacted by the change.

So, we need to be able to provide a default secure_path that's rational
but able to be overridden in /etc/sudoers* (a source patch is acceptable
here, particularly if I can get upstream to accept it), or at minimum I
need to add a NEWS entry documenting the behavior change.

Bdale
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. (Wed, 01 Feb 2012 15:21:16 GMT) Full text and rfc822 format available.

Notification sent to Bob Proulx <bob@proulx.com>:
Bug acknowledged by developer. (Wed, 01 Feb 2012 15:21:16 GMT) Full text and rfc822 format available.

Message #35 received at 639841-done@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 639841-done@bugs.debian.org
Subject: Re: sudo: secure_path change needs a NEWS entry
Date: Wed, 01 Feb 2012 15:17:08 +0000
[Message part 1 (text/plain, inline)]
Version: 1.8.2-2

This was added some time ago.

Ben.

-- 
Ben Hutchings
Lowery's Law:
             If it jams, force it. If it breaks, it needed replacing anyway.
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 01 Mar 2012 07:36:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:27:19 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.