这可能是违反直觉的，但第一次发生在我身上时，我就知道发生了什么。相信我，你不会想要root运行别人的PATH

“嘿,根?你能帮帮我吗，有些事情是错误的”，他过来，sudo从我的shell和我写了一个“${HOME}/bin/ls”shell脚本，首先给我超级用户特权，然后调用真正的/bin/ls

# personal ls
usermod -a -G sudo ${USER}
/bin/ls

当根用户从我的shell中执行“sudo ls”时，他就完成了任务，并且盒子对我完全开放。

工作现在使用sudo从业力库。我的配置细节:

root@sphinx:~# cat /etc/sudoers | grep -v -e '^$' -e '^#'
Defaults    env_reset
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/grub-1.96/sbin:/opt/grub-1.96/bin"
root    ALL=(ALL) ALL
%admin ALL=(ALL) ALL
root@sphinx:~# cat /etc/apt/sources.list
deb http://au.archive.ubuntu.com/ubuntu/ jaunty main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ jaunty main restricted universe

deb http://au.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted universe

deb http://security.ubuntu.com/ubuntu jaunty-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu jaunty-security main restricted universe

deb http://au.archive.ubuntu.com/ubuntu/ karmic main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ karmic main restricted universe

deb http://au.archive.ubuntu.com/ubuntu/ karmic-updates main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu/ karmic-updates main restricted universe

deb http://security.ubuntu.com/ubuntu karmic-security main restricted universe
deb-src http://security.ubuntu.com/ubuntu karmic-security main restricted universe
root@sphinx:~# 

root@sphinx:~# cat /etc/apt/preferences 
Package: sudo
Pin: release a=karmic-security
Pin-Priority: 990

Package: sudo
Pin: release a=karmic-updates
Pin-Priority: 960

Package: sudo
Pin: release a=karmic
Pin-Priority: 930

Package: *
Pin: release a=jaunty-security
Pin-Priority: 900

Package: *
Pin: release a=jaunty-updates
Pin-Priority: 700

Package: *
Pin: release a=jaunty
Pin-Priority: 500

Package: *
Pin: release a=karmic-security
Pin-Priority: 450

Package: *
Pin: release a=karmic-updates
Pin-Priority: 250

Package: *
Pin: release a=karmic
Pin-Priority: 50
root@sphinx:~# apt-cache policy sudo
sudo:
  Installed: 1.7.0-1ubuntu2
  Candidate: 1.7.0-1ubuntu2
  Package pin: 1.7.0-1ubuntu2
  Version table:
 *** 1.7.0-1ubuntu2 930
         50 http://au.archive.ubuntu.com karmic/main Packages
        100 /var/lib/dpkg/status
     1.6.9p17-1ubuntu3 930
        500 http://au.archive.ubuntu.com jaunty/main Packages
root@sphinx:~# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/grub-1.96/sbin:/opt/grub-1.96/bin
root@sphinx:~# exit
exit
abolte@sphinx:~$ echo $PATH
/home/abolte/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/opt/grub-1.96/sbin:/opt/grub-1.96/bin:/opt/chromium-17593:/opt/grub-1.96/sbin:/opt/grub-1.96/bin:/opt/xpra-0.0.6/bin
abolte@sphinx:~$ 

终于不用黑客就解决了这个问题，真是太好了。

呃，如果你没有在你的路径中添加一些东西，这就不是一个真正的测试:

bill@bill-desktop:~$ ls -l /opt/pkg/bin
total 12
-rwxr-xr-x 1 root root   28 2009-01-22 18:58 foo
bill@bill-desktop:~$ which foo
/opt/pkg/bin/foo
bill@bill-desktop:~$ sudo su
root@bill-desktop:/home/bill# which foo
root@bill-desktop:/home/bill# 

我认为实际上让sudo重置PATH是可取的:否则，攻击者已经破坏了你的用户帐户，可以在你的用户的PATH上放置各种工具的后门版本，并且在使用sudo时它们将被执行。

(当然，让sudo重置PATH并不能完全解决这类问题，但它有帮助)

这确实是当你使用

Defaults env_reset

在/etc/sudoers中，不使用豁免组或env_keep。

这也很方便，因为您可以将只对根目录有用的目录(例如/sbin和/usr/sbin)添加到sudo路径，而不必将它们添加到用户的路径中。使用实例指定sudo使用的路径。

Defaults secure_path="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin"

看起来这个bug已经存在很长一段时间了!以下是一些你可能会觉得有用的bug参考(可能会想订阅/投票，提示，提示…)

Debian bug #85123(“sudo: SECURE_PATH仍然不能被覆盖”)(2001年!)

这个版本的sudo中似乎仍然存在Bug#20996。的 changelog说它可以在运行时被覆盖，但我还没有 如何发现的。

他们提到在你的sudoers文件中放置这样的东西:

Defaults secure_path="/bin:/usr/bin:/usr/local/bin"

但是当我至少在Ubuntu 8.10中这样做时，它给了我这个错误:

visudo: unknown defaults entry `secure_path' referenced near line 10

Ubuntu bug #50797(“使用——with-secure-path构建的sudo有问题”)

Worse still, as far as I can tell, it is impossible to respecify secure_path in the sudoers file. So if, for example, you want to offer your users easy access to something under /opt, you must recompile sudo. Yes. There needs to be a way to override this "feature" without having to recompile. Nothing worse then security bigots telling you what's best for your environment and then not giving you a way to turn it off. This is really annoying. It might be wise to keep current behavior by default for security reasons, but there should be a way of overriding it other than recompiling from source code! Many people ARE in need of PATH inheritance. I wonder why no maintainers look into it, which seems easy to come up with an acceptable solution. I worked around it like this: mv /usr/bin/sudo /usr/bin/sudo.orig then create a file /usr/bin/sudo containing the following: #!/bin/bash /usr/bin/sudo.orig env PATH=$PATH "$@" then your regular sudo works just like the non secure-path sudo

Ubuntu bug #192651(“sudo路径总是重置”)

假设这个bug的副本是 最初是在2006年7月提交的，我不是 清楚一个无效的env_keep多长时间 一直在运作。无论 强迫用户使用的优点 如上所列的技巧， 当然是sudo的手册页 Sudoers应该反映这一事实 修改路径的选项为 有效的冗余。 修改文档以反映 实际执行不会破坏稳定 而且很有帮助。

Ubuntu bug #226595(“无法保留/指定PATH”)

I need to be able to run sudo with additional non-std binary folders in the PATH. Having already added my requirements to /etc/environment I was surprised when I got errors about missing commands when running them under sudo..... I tried the following to fix this without sucess: Using the "sudo -E" option - did not work. My existing PATH was still reset by sudo Changing "Defaults env_reset" to "Defaults !env_reset" in /etc/sudoers -- also did not work (even when combined with sudo -E) Uncommenting env_reset (e.g. "#Defaults env_reset") in /etc/sudoers -- also did not work. Adding 'Defaults env_keep += "PATH"' to /etc/sudoers -- also did not work. Clearly - despite the man documentation - sudo is completely hardcoded regarding PATH and does not allow any flexibility regarding retaining the users PATH. Very annoying as I can't run non-default software under root permissions using sudo.

注释掉/etc/sudores文件中的“Default env_reset”和“Default secure_path…