[sudo-users] security bug -- sudo undefines functions in environment
L. A. Walsh
sudo at tlinx.org
Mon Aug 4 00:11:31 MDT 2014
Todd C. Miller wrote:
> You've got it backwards, allowing arbitrary bash functions from the
> user's environment to be defined in a root shell is the security
> bug. Allowing this makes it possible for anyone to get around the
> restrictions in sudoers, which was assigned CVE-2004-1051. Sudo
> started removing bash functions from the environment in version
> 1.6.8p2 (released almost 10 years ago) so this is not a recent
> change.
>
> I'm sorry if it causes problems for you but the behavior is not
> going to change.
>
----
Can you explain why it shouldn't be configurable?
More information about the sudo-users
mailing list