[sudo-users] security bug -- sudo undefines functions in environment
Edward Capriolo
edlinuxguru at gmail.com
Mon Aug 4 13:53:00 MDT 2014
I think if your approached these on a case by case basis you have the basis
for a feature request. Right now it sounds like you want something like:
Defaults env_reset_HARD
I was following your argument with DISPLAY and TERM env variables. I have
some experience with PAM and well, PAM is a beast. I remember it has many
corner cases and strange rules when working with some modules. It was all
documented but just about every time I saw and example PAM+LDAP
configuration they each had subtle tweaks and did not really work the way
people thought they did.
On Mon, Aug 4, 2014 at 2:13 PM, L. A. Walsh <sudo at tlinx.org> wrote:
> Edward Capriolo wrote:
>
>> It seems like you have full control over what you would want to reset.
>>
>> http://superuser.com/questions/232231/how-do-i-make-sudo-preserve-my-
>> environment-variables
>>
>>
> That's the problem - it **seems** .. but you really don't.
>
> Things that the environment rely on are deleted, so instead of read-only
> functions being executed, random hacker-placed files can be run from disk.
>
> Seems like a new attack vector, similar to placing rogue binaries in CWD
> hoping
> the a root user will run a prog in that dir.
>
>
>
More information about the sudo-users
mailing list