Description of problem:
In the default configuration, sudo does not reset $HOME environment variable when switching to other user. Commands run via sudo may use $HOME to search for configuration files or additional modules to load and can have security implications in setups where users are only allowed to run certain specific commands via sudo, but are not granted full shell access to the target user.
This issue has re-surfaced recently for python scripts. Python 2.6 adds a "Per user site-packages directory" feature (PEP 370):
Python interpreter searches user home directories for additional modules to load. When python script is run via sudo and $HOME is not reset to point to target user's home directory, modules can be loaded form source user's home directory, possibly bypassing intended restrictions.
Note: $PYTHONPATH is reset by sudo by default.
We should use safer default, users that prefer to keep $HOME unchanged can adjust sudoers configuration accordingly. We can either default to always_set_home, or use the upstream change slated for the next upstream version 1.7.4, which no longer preserves $HOME by default during env_reset (env_reset is used by default in RHEL/Fedora sudo packages).
Related upstream commits:
Created attachment 436226 [details]
Created attachment 436250 [details]
"use" -> "use it"
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.