[sudo-users] security bug -- sudo undefines functions in environment
Todd C. Miller
Todd.Miller at courtesan.com
Wed Aug 6 06:22:33 MDT 2014
On Tue, 05 Aug 2014 18:14:18 -0700, "L. A. Walsh" wrote:
> As for what I want -- just add a flag that says "environment preserving
> applies to functions as well" -- then it can work in the whitelist or the
> blacklist case. I.e. it would have complete forward compatibility (nothing
> new enabled by default), but would allow functions in the environment
> to have the same status as variables. i.e. either whitelisting by name
> foobar() snore() andthisonetoo(), or blanket approval and blacklisting if
> someone wants blacklisting.
I am toying with the idea of allowing the whitelist/blacklist entries
to match the full var=value string if the whitelist/blacklist part
includes an '='. So in this case, one could do:
env_keep += "foo=()*"
to match the function named foo with any contents. If no '=' is
found in the env_keep/env_delete string only the name would be
matched which preserves the old behavior.
More information about the sudo-users