[sudo-users] security bug -- sudo undefines functions in environment

Todd C. Miller Todd.Miller at courtesan.com
Wed Aug 6 06:22:33 MDT 2014


On Tue, 05 Aug 2014 18:14:18 -0700, "L. A. Walsh" wrote:

> As for what I want -- just add a flag that says "environment preserving
> applies to functions as well" -- then it can work in the whitelist or the
> blacklist case.  I.e. it would have complete forward compatibility (nothing
> new enabled by default), but would allow functions in the environment
> to have the same status as variables.  i.e. either whitelisting by name
> foobar() snore()  andthisonetoo(), or blanket approval and blacklisting if
> someone wants blacklisting.

I am toying with the idea of allowing the whitelist/blacklist entries
to match the full var=value string if the whitelist/blacklist part
includes an '='.  So in this case, one could do:

    env_keep += "foo=()*"

to match the function named foo with any contents.  If no '=' is
found in the env_keep/env_delete string only the name would be
matched which preserves the old behavior.

 - todd


More information about the sudo-users mailing list