[sudo-users] security bug -- sudo undefines functions in environment

L. A. Walsh sudo at tlinx.org
Sat Aug 2 22:11:14 MDT 2014


I'm not quite sure what changed exactly, but for how long
has sudo filtered out functions regardless of settings to
preserve the environment?

It's causing problems in my setup, with prompts not changing
(functions in the prompts),  No alert that I'm in root --
(usually prompt changes to red and ends with a "#".
Now no change...

command completion no longer works because
it uses hundreds of functions:

>  typeset -f|grep '()'|wc
    377     728    6879
>  sudo
bash: titlebar: command not found
/home/law/bin/spwd: line 35: spwd: readonly function
>  typeset -f |wc
      0       0       0


So because the function 'spwd' was missing, it tried to find an 'spwd' 
on disk
to run (running random commands now happens due to missing functions).

But then it couldn't define the function because the function was
defined read-only!

When people say "don't reset the environment" and sudo
wipes all of the admin's functions out, that doesn't make things
more secure...

I tried looking at a few versions of the source, but couldn't see
when it was added...?

Not sure why I just got hit with this, but something to do
with a "bash_completion" package I installed causing different
bash scripts to be called in some new order... hmmm...



More information about the sudo-users mailing list