Is my implementation/understanding of SUDO flawed?

Todd C. Miller Todd.Miller at
Sun Feb 24 16:38:02 EST 2002

In message <000701c1bd6d$5dfc8640$737c7ad5 at oemcomputer>
	so spake "ian Laing" (ian.laing):

> 1) The start/stop scripts don't sanitise the PATH, so if an operator starts
> with a PATH containing
> their personal home directory *first* then that is the PATH the scripts use.
> They can therefore subvert commands like echo with their own version and
> Unix will run that.
> Their own echo command can then simply contain a ksh to give them a root
> shell.

You can use the --with-secure-path configure option to hard-code a path.

 - todd

More information about the sudo-users mailing list