[sudo-users] security bug -- sudo undefines functions in environment

Todd C. Miller Todd.Miller at courtesan.com
Tue Aug 5 17:04:49 MDT 2014

Please understand that exported bash functions are just strings in
the environment.  There is no such thing as a read-only environment
variable--it is the shell that enforces attributes like read-only.
As far as I know, the read-only attribute is not preserved in
sub-shells as there is no way to specify in the environment that a
variable should be read-only.

For instance, the following bash function:

    foo () {
	echo bar

is stored in the environment as follows when exports:

    foo=() { echo bar; }

(In practice, there is a newline in there instead of a semicolon
but it is easier to talk about a single line).

The reason sudo doesn't pass through such environment variables is
that sudo does its environment matching based on the variable name.
So there is no way to distinguish between an environment variable
"foo" and a "foo" that bash will interpret as a function.  Since
functions get run in preference to commands on disk, you can see
how this has security ramifications.

In order to allow bash functions to be passed through safely, we
need a way to preserve these variables that also matches on the
beginning of the variable's value.  In other words, on the beginning
"() {".

 - todd

More information about the sudo-users mailing list