[sudo-users] can't pass environment variables to sudo env

Todd C. Miller Todd.Miller at courtesan.com
Sun Sep 14 08:26:50 EDT 2008


In message <b1335fe90809131832k5930e563n90d41c3ca6a54108 at mail.gmail.com>
	so spake "Tiago Marques" (tiagomnm):

> The other thing I would like to know is if this was done for security
> reasons. Was it? I would like to know if there's any risk in changing this
> behavior.

Yes, it was done for security reasons.  The old method was to
blacklist specific environment variables that could be used to
influence program behavior.  However, blacklists like this are a
flawed mechanism as there's no way to be sure you've caught everything.
The set of programs that may be influenced by the environment is
always increasing.

On a single-user workstation or a situation where all users of sudo
are given "sudo ALL" this is probably not a big deal but in situations
where you are trying to use sudo to restrict what a user can run
it is a problem.

 - todd



More information about the sudo-users mailing list