[sudo-users] security bug -- sudo undefines functions in environment
L. A. Walsh
sudo at tlinx.org
Mon Aug 4 12:13:12 MDT 2014
Edward Capriolo wrote:
> It seems like you have full control over what you would want to reset.
>
> http://superuser.com/questions/232231/how-do-i-make-sudo-preserve-my-environment-variables
>
That's the problem - it **seems** .. but you really don't.
Things that the environment rely on are deleted, so instead of read-only
functions being executed, random hacker-placed files can be run from disk.
Seems like a new attack vector, similar to placing rogue binaries in CWD
hoping
the a root user will run a prog in that dir.
More information about the sudo-users
mailing list