[sudo-users] security bug -- sudo undefines functions in environment

L. A. Walsh sudo at tlinx.org
Mon Aug 4 00:11:31 MDT 2014

Todd C. Miller wrote:
> You've got it backwards, allowing arbitrary bash functions from the
> user's environment to be defined in a root shell is the security
> bug.  Allowing this makes it possible for anyone to get around the
> restrictions in sudoers, which was assigned CVE-2004-1051.  Sudo
> started removing bash functions from the environment in version
> 1.6.8p2 (released almost 10 years ago) so this is not a recent
> change.
> I'm sorry if it causes problems for you but the behavior is not
> going to change.
   Can you explain why it shouldn't be configurable?


More information about the sudo-users mailing list