[sudo-users] security bug -- sudo undefines functions in environment

Todd C. Miller Todd.Miller at courtesan.com
Sun Aug 3 14:23:57 MDT 2014

You've got it backwards, allowing arbitrary bash functions from the
user's environment to be defined in a root shell is the security
bug.  Allowing this makes it possible for anyone to get around the
restrictions in sudoers, which was assigned CVE-2004-1051.  Sudo
started removing bash functions from the environment in version
1.6.8p2 (released almost 10 years ago) so this is not a recent

I'm sorry if it causes problems for you but the behavior is not
going to change.

 - todd

More information about the sudo-users mailing list