[sudo-users] security bug -- sudo undefines functions in environment
edlinuxguru at gmail.com
Mon Aug 4 13:53:00 MDT 2014
I think if your approached these on a case by case basis you have the basis
for a feature request. Right now it sounds like you want something like:
I was following your argument with DISPLAY and TERM env variables. I have
some experience with PAM and well, PAM is a beast. I remember it has many
corner cases and strange rules when working with some modules. It was all
documented but just about every time I saw and example PAM+LDAP
configuration they each had subtle tweaks and did not really work the way
people thought they did.
On Mon, Aug 4, 2014 at 2:13 PM, L. A. Walsh <sudo at tlinx.org> wrote:
> Edward Capriolo wrote:
>> It seems like you have full control over what you would want to reset.
> That's the problem - it **seems** .. but you really don't.
> Things that the environment rely on are deleted, so instead of read-only
> functions being executed, random hacker-placed files can be run from disk.
> Seems like a new attack vector, similar to placing rogue binaries in CWD
> the a root user will run a prog in that dir.
More information about the sudo-users