Ubuntu: `sudo -u some-user` unexpectedly ends up with environment variables for the runner

[rsyring]

Description

Running sudo for a user other than the runner user unexpectedly ends up with some environment variables hard-coded for the runner:

sudo useradd --system --create-home --shell=/bin/bash coppy-tests
sudo -u coppy-tests printenv XDG_CONFIG_HOME
/home/runner/.config

This creates considerable headache when trying to use OS users to isolate tests using sudo as XDG_CONFIG_HOME drives the location that many programs use to figure out what directory to use.

Here is an example of what happens when trying to install uv as a non-runner user:

sudo useradd --create-home --shell=/bin/bash example-user
curl -LsSf https://astral.sh/uv/install.sh | sudo -u example-user sh
  
downloading uv 0.8.19 x86_64-unknown-linux-gnu
no checksums to verify
installing to /home/example-user/.local/bin
  uv
  uvx
everything's installed!
To add $HOME/.local/bin to your PATH, either restart your shell or run:
    source $HOME/.local/bin/env (sh, bash, zsh)
    source $HOME/.local/bin/env.fish (fish)
mkdir: cannot create directory ‘/home/runner’: Permission denied
ERROR: unable to create receipt directory at /home/runner/.config/uv

Unsetting XDG_CONFIG_HOME fixes the problem and the installer runs without error

sudo useradd --create-home --shell=/bin/bash example-user
curl -LsSf https://astral.sh/uv/install.sh | sudo -u example-user env -u XDG_CONFIG_HOME sh

# Show ~/.config/uv got created
ls /home/example-user/.config/

downloading uv 0.8.19 x86_64-unknown-linux-gnu
no checksums to verify
installing to /home/example-user/.local/bin
  uv
  uvx
everything's installed!

To add $HOME/.local/bin to your PATH, either restart your shell or run:

    source $HOME/.local/bin/env (sh, bash, zsh)
    source $HOME/.local/bin/env.fish (fish)
configstore
fish
uv

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 22.04
• Ubuntu 24.04
• macOS 13
• macOS 13 Arm64
• macOS 14
• macOS 14 Arm64
• macOS 15
• macOS 15 Arm64
• macOS 26 Arm64
• Windows Server 2019
• Windows Server 2022
• Windows Server 2025

Image version and build link

Image: ubuntu-24.04
Version: 20250907.24.1

Example: https://github.com/rsyring/gh-action-runner-debug/actions/runs/17882206284

Is it regression?

Unknown

Expected behavior

I expect sudo ran for an alternate user to not contain any environment variables hard-coded to the runner user.

Actual behavior

Explained above.

Repro steps

See: https://github.com/rsyring/gh-action-runner-debug/blob/main/.github/workflows/debug-sudo.yaml

[hemanthmanga]

Hi @rsyring, Thank you for bringing this issue to our attention. We will look into this issue and will update you after investigation.

[subir0071]

Hi @rsyring - The XDG_CONFIG_HOME env variable was configured to resolve this #491 issue.
As vast number of our user only uses the runner user in Linux runners, so we would like to keep it that way.

As you have already figured out, unsetting this env variable should effectively unblock you.

[rsyring]

#491 even says they are going to remove the variable.

It's not hard to configure a linux system to set XDG_CONFIG_HOME for the current user without putting it in /etc/environment. And, it looks like that was the wrong solution to the problems being described in #491 anyway.

Even if most users don't use any user but runner, it's a a pretty flagrant violation of Linux sysadmin norms to hardcode user specific paths in environment variables that will be used by other users.

While an "easy" fix, it was so unexpected, it took me hours of troubleshooting the action figure out what the underlying problem was.