[sudo-users] can't pass environment variables to sudo env
Todd C. Miller
Todd.Miller at courtesan.com
Sun Sep 14 08:26:50 EDT 2008
In message <b1335fe90809131832k5930e563n90d41c3ca6a54108 at mail.gmail.com>
so spake "Tiago Marques" (tiagomnm):
> The other thing I would like to know is if this was done for security
> reasons. Was it? I would like to know if there's any risk in changing this
> behavior.
Yes, it was done for security reasons. The old method was to
blacklist specific environment variables that could be used to
influence program behavior. However, blacklists like this are a
flawed mechanism as there's no way to be sure you've caught everything.
The set of programs that may be influenced by the environment is
always increasing.
On a single-user workstation or a situation where all users of sudo
are given "sudo ALL" this is probably not a big deal but in situations
where you are trying to use sudo to restrict what a user can run
it is a problem.
- todd
More information about the sudo-users
mailing list