tag:blogger.com,1999:blog-865923359735383241.post5101275717589512231..comments2023-10-29T07:27:09.012-06:00Comments on Ccna final exam - java, php, javascript, ios, cshap all in one: sudo changes PATH - why?Unknownnoreply@blogger.comBlogger14125tag:blogger.com,1999:blog-865923359735383241.post-38481905223768831072012-05-29T00:57:34.299-06:002012-05-29T00:57:34.299-06:00Er, it's not really a test if you don't ad...Er, it's not really a test if you don't add something to your path:<br /><br /><br />bill@bill-desktop:~$ ls -l /opt/pkg/bin<br />total 12<br />-rwxr-xr-x 1 root root 28 2009-01-22 18:58 foo<br />bill@bill-desktop:~$ which foo<br />/opt/pkg/bin/foo<br />bill@bill-desktop:~$ sudo su<br />root@bill-desktop:/home/bill# which foo<br />root@bill-desktop:/home/bill#Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-5359266840453418492012-05-29T00:57:32.779-06:002012-05-29T00:57:32.779-06:00Does root have anything that sets PATH in .bashrc?...Does root have anything that sets PATH in .bashrc? This is assuming that since you're on Linux, sh is really bash.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-83226620897161530762012-05-29T00:57:31.777-06:002012-05-29T00:57:31.777-06:00This seemed to work for me
sudo -i
which takes...This seemed to work for me<br /><br />sudo -i <br /><br /><br />which takes on the non-sudo PATHUserhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-11733915799131309552012-05-29T00:57:31.136-06:002012-05-29T00:57:31.136-06:00Just edit env_keep in /etc/sudoers
it looks somet...Just edit env_keep in /etc/sudoers<br /><br />it looks something like this:<br /><br />Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L ANGUAGE LINGUAS XDG_SESSION_COOKIE"<br /><br />just append PATH at the end, so after the change it would look like this:<br /><br />Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L ANGUAGE LINGUAS XDG_SESSION_COOKIE **PATH**"<br /><br />close all ur terminal and then open again.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-75075909756272586232012-05-29T00:57:29.459-06:002012-05-29T00:57:29.459-06:00the recommended solution in the comments on the Op...the recommended solution in the comments on the OpenSUSE distro suggests to change:<br /><br />Defaults env_reset<br /><br />to:<br /><br />Defaults !env_reset<br /><br />and then presumably to comment out the following line which isn't needed:<br /><br />Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASURE MENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL L ANGUAGE LINGUAS XDG_SESSION_COOKIE"Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-24639267292404852362012-05-29T00:57:28.765-06:002012-05-29T00:57:28.765-06:00I think it is in fact desirable to have sudo reset...I think it is in fact desirable to have sudo reset the PATH: otherwise an attacker having compromised your user account could put backdoored versions of all kinds of tools on your users' PATH, and they would be executed when using sudo.<br /><br />(of course having sudo reset the PATH is not a complete solution to these kinds of problems, but it helps)<br /><br />This is indeed what happens when you use<br /><br />Defaults env_reset<br /><br /><br />in /etc/sudoers without using exempt_group or env_keep.<br /><br />This is also convenient because you can add directories that are only useful for root (such as /sbin and /usr/sbin) to the sudo path without adding them to your users' paths. To specify the path to be used by sudo:<br /><br />Defaults secure_path="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin"Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-73310916062326892762012-05-29T00:57:28.068-06:002012-05-29T00:57:28.068-06:00Secure_path is your friend, but if you want to exe...Secure_path is your friend, but if you want to exempt yourself from secure_path just do<br /><br /><br />sudo visudo<br /><br /><br />And append<br /><br /><br />Defaults exempt_group=your_goup<br /><br /><br />If you want to exempt a bunch of users create a group, add all the users to it, and use that as your exempt_group. man 5 sudoers for more.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-21569869821231158322012-05-29T00:57:27.098-06:002012-05-29T00:57:27.098-06:00Just comment out "Defaults env_reset" in...Just comment out "Defaults env_reset" in /etc/sudoersUserhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-39361213371259882002012-05-29T00:57:26.458-06:002012-05-29T00:57:26.458-06:00# cat .bash_profile | grep PATH
PATH=$HOME/bin:/us...# cat .bash_profile | grep PATH<br />PATH=$HOME/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin<br />export PATH<br /><br /># cat /etc/sudoers | grep Defaults<br />Defaults requiretty<br />Defaults env_reset<br />Defaults env_keep = "SOME_PARAM1 SOME_PARAM2 ... PATH"Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-37029413582238580522012-05-29T00:57:25.751-06:002012-05-29T00:57:25.751-06:00Works now using sudo from the karmic repositories....Works now using sudo from the karmic repositories. Details from my configuration:<br /><br />root@sphinx:~# cat /etc/sudoers | grep -v -e '^$' -e '^#'<br />Defaults env_reset<br />Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/grub-1.96/sbin:/opt/grub-1.96/bin"<br />root ALL=(ALL) ALL<br />%admin ALL=(ALL) ALL<br />root@sphinx:~# cat /etc/apt/sources.list<br />deb http://au.archive.ubuntu.com/ubuntu/ jaunty main restricted universe<br />deb-src http://au.archive.ubuntu.com/ubuntu/ jaunty main restricted universe<br /><br />deb http://au.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe<br />deb-src http://au.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe<br /><br />deb http://security.ubuntu.com/ubuntu jaunty-security main restricted universe<br />deb-src http://security.ubuntu.com/ubuntu jaunty-security main restricted universe<br /><br />deb http://au.archive.ubuntu.com/ubuntu/ karmic main restricted universe<br />deb-src http://au.archive.ubuntu.com/ubuntu/ karmic main restricted universe<br /><br />deb http://au.archive.ubuntu.com/ubuntu/ karmic-updates main restricted universe<br />deb-src http://au.archive.ubuntu.com/ubuntu/ karmic-updates main restricted universe<br /><br />deb http://security.ubuntu.com/ubuntu karmic-security main restricted universe<br />deb-src http://security.ubuntu.com/ubuntu karmic-security main restricted universe<br />root@sphinx:~# <br /><br />root@sphinx:~# cat /etc/apt/preferences <br />Package: sudo<br />Pin: release a=karmic-security<br />Pin-Priority: 990<br /><br />Package: sudo<br />Pin: release a=karmic-updates<br />Pin-Priority: 960<br /><br />Package: sudo<br />Pin: release a=karmic<br />Pin-Priority: 930<br /><br />Package: *<br />Pin: release a=jaunty-security<br />Pin-Priority: 900<br /><br />Package: *<br />Pin: release a=jaunty-updates<br />Pin-Priority: 700<br /><br />Package: *<br />Pin: release a=jaunty<br />Pin-Priority: 500<br /><br />Package: *<br />Pin: release a=karmic-security<br />Pin-Priority: 450<br /><br />Package: *<br />Pin: release a=karmic-updates<br />Pin-Priority: 250<br /><br />Package: *<br />Pin: release a=karmic<br />Pin-Priority: 50<br />root@sphinx:~# apt-cache policy sudo<br />sudo:<br /> Installed: 1.7.0-1ubuntu2<br /> Candidate: 1.7.0-1ubuntu2<br /> Package pin: 1.7.0-1ubuntu2<br /> Version table:<br /> *** 1.7.0-1ubuntu2 930<br /> 50 http://au.archive.ubuntu.com karmic/main Packages<br /> 100 /var/lib/dpkg/status<br /> 1.6.9p17-1ubuntu3 930<br /> 500 http://au.archive.ubuntu.com jaunty/main Packages<br />root@sphinx:~# echo $PATH<br />/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/grub-1.96/sbin:/opt/grub-1.96/bin<br />root@sphinx:~# exit<br />exit<br />abolte@sphinx:~$ echo $PATH<br />/home/abolte/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/grub-1.96/sbin:/opt/grub-1.96/bin:/opt/chromium-17593:/opt/grub-1.96/sbin:/opt/grub-1.96/bin:/opt/xpra-0.0.6/bin<br />abolte@sphinx:~$<br /><br /><br />It's wonderful to finally have this solved without using a hack.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-27919614568545629792012-05-29T00:57:24.694-06:002012-05-29T00:57:24.694-06:00Looks like this bug has been around for quite a wh...Looks like this bug has been around for quite a while! Here are some bug references you may find helpful (and may want to subscribe to / vote up, hint, hint...):<br /><br /><br /><br />Debian bug #85123 ("sudo: SECURE_PATH still can't be overridden") (from 2001!)<br /><br /><br /> It seems that Bug#20996 is still present in this version of sudo. The<br /> changelog says that it can be overridden at runtime but I haven't yet<br /> discovered how.<br /><br /><br />They mention putting something like this in your sudoers file:<br /><br />Defaults secure_path="/bin:/usr/bin:/usr/local/bin"<br /><br /><br />but when I do that in Ubuntu 8.10 at least, it gives me this error:<br /><br />visudo: unknown defaults entry `secure_path' referenced near line 10<br /><br /><br /><br /><br />Ubuntu bug #50797 ("sudo built with --with-secure-path is problematic")<br /><br /><br /> Worse still, as far as I can tell, it<br /> is impossible to respecify secure_path<br /> in the sudoers file. So if, for<br /> example, you want to offer your users<br /> easy access to something under /opt,<br /> you must recompile sudo.<br /> <br /> <br /> <br /> Yes. There needs to be a way to<br /> override this "feature" without having<br /> to recompile. Nothing worse then<br /> security bigots telling you what's<br /> best for your environment and then not<br /> giving you a way to turn it off.<br /> <br /> <br /> <br /> This is really annoying. It might be<br /> wise to keep current behavior by<br /> default for security reasons, but<br /> there should be a way of overriding it<br /> other than recompiling from source<br /> code! Many people ARE in need of PATH<br /> inheritance. I wonder why no<br /> maintainers look into it, which seems<br /> easy to come up with an acceptable<br /> solution.<br /> <br /> <br /> <br /> I worked around it like this:<br /><br />mv /usr/bin/sudo /usr/bin/sudo.orig<br /><br /> <br /> then create a file /usr/bin/sudo containing the following:<br /><br />#!/bin/bash<br />/usr/bin/sudo.orig env PATH=$PATH "$@"<br /><br /> <br /> then your regular sudo works just like the non secure-path sudo<br /><br /><br /><br /><br />Ubuntu bug #192651 ("sudo path is always reset")<br /><br /><br /> Given that a duplicate of this bug was<br /> originally filed in July 2006, I'm not<br /> clear how long an ineffectual env_keep<br /> has been in operation. Whatever the<br /> merits of forcing users to employ<br /> tricks such as that listed above,<br /> surely the man pages for sudo and<br /> sudoers should reflect the fact that<br /> options to modify the PATH are<br /> effectively redundant.<br /> <br /> Modifying documentation to reflect<br /> actual execution is non destabilising<br /> and very helpful.<br /><br /><br /><br /><br />Ubuntu bug #226595 ("impossible to retain/specify PATH")<br /><br /><br /> I need to be able to run sudo with<br /> additional non-std binary folders in<br /> the PATH. Having already added my<br /> requirements to /etc/environment I was<br /> surprised when I got errors about<br /> missing commands when running them<br /> under sudo.....<br /> <br /> I tried the following to fix this<br /> without sucess: <br /> <br /> <br /> Using the "sudo -E" option - did not work. My existing PATH was still reset by sudo <br /> Changing "Defaults env_reset" to "Defaults !env_reset" in /etc/sudoers -- also did not work (even when combined with sudo -E) <br /> Uncommenting env_reset (e.g. "#Defaults env_reset") in /etc/sudoers -- also did not work.<br /> Adding 'Defaults env_keep += "PATH"' to /etc/sudoers -- also did not work.<br /> <br /> <br /> Clearly - despite the man<br /> documentation - sudo is completely<br /> hardcoded regarding PATH and does not<br /> allow any flexibility regarding<br /> retaining the users PATH. Very<br /> annoying as I can't run non-default<br /> software under root permissions using<br /> sudo.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-32471747823366135032012-05-29T00:57:23.504-06:002012-05-29T00:57:23.504-06:00'PATH' is an environment variable, and as ...'PATH' is an environment variable, and as such is by default reset by sudo.<br /><br />You need special permissions to be permitted to do this. <br /><br />From Man Sudo <br /><br /><br /> -E The -E (preserve environment) option will override the env_reset<br /> option in sudoers(5)). It is only available when either the match-<br /> ing command has the SETENV tag or the setenv option is set in sudo-<br /> ers(5).<br /><br /><br /><br /> Environment variables to be set for the command may also be passed on<br /> the command line in the form of VAR=value, e.g.<br /> LD_LIBRARY_PATH=/usr/local/pkg/lib. Variables passed on the command<br /> line are subject to the same restrictions as normal environment vari-<br /> ables with one important exception. If the setenv option is set in<br /> sudoers, the command to be run has the SETENV tag set or the command<br /> matched is ALL, the user may set variables that would overwise be for-<br /> bidden. See sudoers(5) for more information.<br /><br /><br />An Example of usage: <br /><br /><br /> cat >> test.sh<br /> env | grep "MYEXAMPLE" ;<br /> ^D<br /><br /><br /><br /> # sh test.sh <br /> #<br /> # MYEXAMPLE=1 sh test.sh <br />MYEXAMPLE=1<br /> #<br /> # MYEXAMPLE=1 sudo sh test.sh <br /> #<br /> # MYEXAMPLE=1 sudo MYEXAMPLE=2 sh test.sh <br />MYEXAMPLE=2<br /> # <br /><br /><br />update<br /><br />man 5 sudoers : <br /><br /> env_reset If set, sudo will reset the environment to only contain<br /> the LOGNAME, SHELL, USER, USERNAME and the SUDO_* vari-<br /> ables. Any variables in the caller's environment that<br /> match the env_keep and env_check lists are then added.<br /> The default contents of the env_keep and env_check<br /> lists are displayed when sudo is run by root with the<br /> -V option. If sudo was compiled with the SECURE_PATH<br /> option, its value will be used for the PATH environment<br /> variable. This flag is on by default.<br /><br /><br />So may need to check that this is/is not compiled in. <br /><br />It is by default in Gentoo<br /><br /> ( From the build Script )<br />....<br />ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})<br />....<br />econf --with-secure-path="${ROOTPATH}"Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-31483242726197759172012-05-29T00:57:19.902-06:002012-05-29T00:57:19.902-06:00In case someone else runs accross this and wants t...In case someone else runs accross this and wants to just disable all path variable changing for all users.<br />Access your sudoers file by using the command:visudo. You should see the following line somewhere: <br /><br /><br /> Defaults env_reset<br /><br /><br />which you should add the following on the next line<br /><br /><br /> Defaults !secure_path<br /><br /><br />secure_path is enabled by default. This option specifies what to make $PATH when sudoing. The exclamation mark disables the feature.Userhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.comtag:blogger.com,1999:blog-865923359735383241.post-89721317425468777652012-05-29T00:57:19.111-06:002012-05-29T00:57:19.111-06:00This is an annoying function of sudo on ubuntu.
No...This is an annoying function of sudo on ubuntu.<br />Note this doesn't happen on fedora for example<br />as sudo is not built with the --with-secure-path option there.<br /><br />To work around this "problem" on ubuntu I do<br />the following in my ~/.bashrc<br /><br />alias sudo='sudo env PATH=$PATH'<br /><br /><br />Note the above will work for commands that don't reset the $PATH themselves.<br />However `su' resets it's $PATH so you must use -p to tell it not to. I.E.:<br /><br />sudo su -pUserhttps://www.blogger.com/profile/11557173689529910046noreply@blogger.com