I looked around in old bugs and it seems that this was already reported multiple times. There is even suggestion that --with-secure-path should be under use flag (245397). In that issue there are stated reasons that it won't fix because there is no other way. I can understand that it introduces some level of security but some users might not require it and it is not true that there is no other way than using sudo with secure-path. If --with-secure-path is not specified then it uses user's PATH. This is what most users expect to see. This might be somewhat new as reference bug is ten years old. I think that it makes sense to allow users to not use sudo without --with-secure-path. I am running it for more then two years now without problems. I always patch original sudo package to just contain secure-path use flag that I disable in my profile. It works and I think that it makes sense to have it in upstream. Please consider that. I created github pull request with this change: https://github.com/gentoo/gentoo/pull/10566
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94bfb597738bad84a823b5f086cb7ffa72675ef7 commit 94bfb597738bad84a823b5f086cb7ffa72675ef7 Author: Karel Kočí <cynerd@email.cz> AuthorDate: 2018-12-04 19:27:04 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-01-13 01:10:30 +0000 app-admin/sudo: Add secure-path use It makes sense to mask PATH variable when sudo is executed for secure reasons with known secure content. Problem is that this is not common on other distributions and in some cases it makes sense to allow user's PATH to be used because it complicates common use of sudo such as: sudo !! This does not change default previous behavior. It just adds an use flag to enabling secure-path that is in default enabled. Bug: https://bugs.gentoo.org/672522 Signed-off-by: Karel Kočí <cynerd@email.cz> Closes: https://github.com/gentoo/gentoo/pull/10566 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-admin/sudo/metadata.xml | 1 + app-admin/sudo/sudo-1.8.26-r1.ebuild | 243 +++++++++++++++++++++++++++++++++++ 2 files changed, 244 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f946718065a714d430fe7bea0ef0ccf67ea1c9af commit f946718065a714d430fe7bea0ef0ccf67ea1c9af Author: Karel Kočí <cynerd@email.cz> AuthorDate: 2019-02-10 14:28:09 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-02-16 21:07:56 +0000 app-admin/sudo: add secure-path use to 1.8.27 as well secure-path was merged at the same time as 1.8.27 was release but new version was based on original ebuild so new version once again misses this use flag. Bug: https://bugs.gentoo.org/672522 Signed-off-by: Karel Kočí <cynerd@email.cz> Closes: https://github.com/gentoo/gentoo/pull/11022 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> app-admin/sudo/{sudo-1.8.27.ebuild => sudo-1.8.27-r1.ebuild} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
