[sudo-users] Sudo's secure path option can be cirumvented

Todd C. Miller Todd.Miller at courtesan.com
Thu Jun 3 14:56:33 EDT 2010

In message <OFB6E11586.5FBDCD72-ON85257737.004E6214-85257737.004EED8F at ca.ibm.co
	so spake  (yaberger):

> I've just received the following security alert:
> http://www.sudo.ws/sudo/alerts/secure_path.html
> I've a few questions concerning this part:
> Sudo "secure path" feature works by replacing the PATH environment 
> variable with a value specified in the sudoers file, or at compile time if 
> the --with-secure-path configure option is used.
> Is there any configuration related to that in sudoers or is it only a 
> configure/compile option?

Sudo 1.7.0 and higher has the "secure_path" Defaults setting in
sudoers.  For older versions of sudo it was a compile-time option

> Can you confirm that this doesn't apply if sudo is not configured with the 
> --with-secure-path option?
> By default, is this option set to yes if you configure with the default 
> options (./configure) ?
> Is it possible to determine if your sudo has been builded with this 
> configuration option (in sudo -V output probably) ?

For sudo 1.6.0 and higher if you run "sudo -V" as root you will
see something like this:

    Value to override user's $PATH with: /usr/bin:/bin

if sudo has been built with --with-secure-path enabled.

 - todd

More information about the sudo-users mailing list