Ubuntu
sudo package

sudo not setting environment variables in /etc/environment

Bug #1301557 reported by Christopher Hoskin
76
This bug affects 14 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

With 1.8.9p5-1ubuntu1 sudo does not load environment variables from /etc/environment, which is a change in behaviour from Ubuntu 13.10.

lsb_release -rd
Description: Ubuntu Trusty Tahr (development branch)
Release: 14.04

apt-cache policy sudo
sudo:
  Installed: 1.8.9p5-1ubuntu1
  Candidate: 1.8.9p5-1ubuntu1
  Version table:
 *** 1.8.9p5-1ubuntu1 0
        500 http://gb.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

Steps to reproduce:

cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usrgames:/usr/local/games"
JAVA_HOME="/usr/lib/jvm/java-7-openjdk-amd64/jre/"

env | grep JAVA_HOME
JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64/jre/
sudo env | grep JAVA_HOME
sudo -s
root@sant-idp:~# env | grep JAVA_HOME
root@sant-idp:~# exit
exit

cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Please advise if this is a bug or new intended behaviour? Thanks.

Revision history for this message
Christopher Hoskin (christopher-hoskin) wrote :

Investigating a bit further, I notice that /etc/pam.d/su contains the lines:

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale

If I add these to /etc/pam.d/sudo then I can set environment variables either in /etc/environment or in /etc/security/pam_env.conf.

So should "session required pam_env.so readenv=1" be added to /etc/pam.d/sudo or is there a security reason why sudo should not use pam_env.so but su should?

Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu):
status: New → Confirmed
Revision history for this message
Andrey Bondarenko (abone) wrote :

Files in /etc/pam.d uses to pam_env.so as a session module, except sudo which uses it as auth module. Is it ok?

Revision history for this message
Dustin Oprea (myselfasunder) wrote :

This affects me as well.

@abone Yes, that's necessary. It doesn't matter where you put it in the file, though. For example:

/etc/pam.d/sudo
=====
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

@include common-auth
@include common-account
@include common-session-noninteractive

session required pam_env.so readenv=1
=====

Revision history for this message
Sven (muffl0n) wrote :

Another workaround:

Add
---------------
Defaults env_keep += "http_proxy SOMEOTHERVARIABLES ANOTHERVARIABLE ETC"
---------------
to your sudoers-file with "visudo".

See: https://help.ubuntu.com/community/EnvironmentVariables#sudo_caveat

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.