From: Michael Prokop <mika@grml.org>
Date: Thu, 2 Apr 2020 09:56:18 +0000 (+0200)
Subject: sudoers: set Defaults secure_path to have sane default settings
X-Git-Tag: v0.35.0~5
X-Git-Url: http://git.grml.org/?p=grml-live.git;a=commitdiff_plain;h=c557940f98cb23335d5f3cc16492eed60936dc32

sudoers: set Defaults secure_path to have sane default settings

If the user (non-root) doesn't have /sbin:/usr/sbin inside $PATH (as
present when invoking `mksh -l`, which causes /etc/profile to be
sourced and setting $PATH), then executing sudo might fail with:

| $ sudo apt-get install rdesktop
| [...]
| dpkg: warning: 'ldconfig' not found in PATH or not executable
| dpkg: warning: 'start-stop-daemon' not found in PATH or not executable
| dpkg: error: 2 expected programs not found in PATH or not executable
| Note: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin

Ensure to have a working $PATH setting when invoking sudo
by explicitly setting secure_path.

Closes: https://github.com/grml/grml/issues/144
---

diff --git a/etc/grml/fai/config/files/etc/sudoers/GRMLBASE b/etc/grml/fai/config/files/etc/sudoers/GRMLBASE
index f52c892..7a46342 100644
--- a/etc/grml/fai/config/files/etc/sudoers/GRMLBASE
+++ b/etc/grml/fai/config/files/etc/sudoers/GRMLBASE
@@ -20,6 +20,9 @@ root    ALL=(ALL) ALL
 # WARNING: Never allow external access to the $USERNAME user!!!
 $USERNAME    ALL=NOPASSWD: ALL
 
+# Path used for every command run from sudo
+Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
 # allow editing of files with editor:
 # $USERNAME ALL=NOPASSWD: sudoedit