[sudo-users] security bug -- sudo undefines functions in environment
Todd C. Miller
Todd.Miller at courtesan.com
Sun Aug 3 14:23:57 MDT 2014
You've got it backwards, allowing arbitrary bash functions from the
user's environment to be defined in a root shell is the security
bug. Allowing this makes it possible for anyone to get around the
restrictions in sudoers, which was assigned CVE-2004-1051. Sudo
started removing bash functions from the environment in version
1.6.8p2 (released almost 10 years ago) so this is not a recent
change.
I'm sorry if it causes problems for you but the behavior is not
going to change.
- todd
More information about the sudo-users
mailing list