[sudo-users] Sudo's secure path option can be cirumvented

yaberger at ca.ibm.com yaberger at ca.ibm.com
Thu Jun 3 10:22:04 EDT 2010


I've just received the following security alert:

I've a few questions concerning this part:

Sudo "secure path" feature works by replacing the PATH environment 
variable with a value specified in the sudoers file, or at compile time if 
the --with-secure-path configure option is used.

Is there any configuration related to that in sudoers or is it only a 
configure/compile option?
Can you confirm that this doesn't apply if sudo is not configured with the 
--with-secure-path option?
By default, is this option set to yes if you configure with the default 
options (./configure) ?
Is it possible to determine if your sudo has been builded with this 
configuration option (in sudo -V output probably) ?

Yannick Bergeron
yaberger at ca.ibm.com
IT Specialist
AIX / Samba / Load Balancer / DCE/DFS / SCM / Apache / Security / Perl 
scripting / etc. 

More information about the sudo-users mailing list