I recently bumped into trouble after starting to use common environment variables in post-install scripts. When I use
sudo to execute a bash script, the sudo commands within that script translate $HOME to
/home/root instead of the currently/single/default/admin logged in user.
I understand this is not how Ubuntu normally behaves, it is how Debian behaves.
This behaviour even caused all my docker container volumes to appear in the root home folder, creating all sorts of access denied and fatal exception issues. It took me a while to figure this out as the cause.
I first created a new environment variable using sudo nano /etc/environment but then that variable is only available to sudo and not to commands run without sudo.
Then I found this information:
Sudo has many compile-time configuration options. You can list the settings in your version with
sudo -V. One of the differences between the configuration in Debian wheezy and in Ubuntu 12.04 is that the
HOMEenvironment variable is preserved in Ubuntu but not in Debian; both distributions erase all environment variables except for a few that are explicitly marked as safe to preserve. Thus
HOMEon Ubuntu, while on Debian
HOMEis erased and
sudothen sets it to the home directory of the target user.
You can override this behavior in the
visudoto edit the
sudoersfile. There are several relevant options:
env_keepdetermines which environment variables are preserved. Use
Defaults env_keep += "HOME"to retain the caller’s
HOMEenvironment variable or
Defaults env_keep -= "HOME"to erase it (and replace it by the home directory of the target user).
env_resetdetermines whether environment variables are reset at all. Resetting environment variables is often necessary for rules that allow running a specific command, but does not have a direct security benefit for rules that allow running arbitrary commands anyway.
always_set_home, if set, causes
HOMEto be overridden even if it was preserved due to
env_resetbeing disabled or
HOMEbeing in the
env_keeplist. This option has no effect if
HOMEisn’t preserved anyway.
always_set_home, but only applies to
sudo -s, not when calling
sudowith an explicit command.
These options can be set for a given source user, a given target user or a given command; see the
sudoersmanual for details.
You can always choose to override
HOMEfor a given call to
sudoby passing the option
The shell will never override the value of
HOME. (It would set
HOMEif it was unset, but
HOMEone way or another.)
If you run
sudosimulates an initial login. This includes setting
HOMEto the home directory of the target user and invoking a login shell.
Now I ran
sudo visudo and added this line:
Defaults env_keep += "HOME"
Now, whether I use sudo or not, $HOME always points to /home/user instead of /home/root.
Should this not be the default behaviour for UB as friendly operating system?