[sudo-users] security bug -- sudo undefines functions in environment

Edward Capriolo edlinuxguru at gmail.com
Mon Aug 4 13:53:00 MDT 2014

I think if your approached these on a case by case basis you have the basis
for a feature request. Right now it sounds like you want something like:

Defaults        env_reset_HARD

I was following your argument with DISPLAY and TERM env variables. I have
some experience with PAM and well, PAM is a beast. I remember it has many
corner cases and strange rules when working with some modules. It was all
documented but just about every time I saw and example PAM+LDAP
configuration they each had subtle tweaks and did not really work the way
people thought they did.

On Mon, Aug 4, 2014 at 2:13 PM, L. A. Walsh <sudo at tlinx.org> wrote:

> Edward Capriolo wrote:
>> It seems like you have full control over what you would want to reset.
>> http://superuser.com/questions/232231/how-do-i-make-sudo-preserve-my-
>> environment-variables
> That's the problem -  it **seems** .. but you really don't.
> Things that the environment rely on are deleted, so instead of read-only
> functions being executed, random hacker-placed files can be run from disk.
> Seems like a new attack vector, similar to placing rogue binaries in CWD
> hoping
> the a root user will run a prog in that dir.

More information about the sudo-users mailing list