[sudo-users] security bug -- sudo undefines functions in environment

Todd C. Miller Todd.Miller at courtesan.com
Wed Aug 6 08:04:18 MDT 2014

On Wed, 06 Aug 2014 13:56:45 +0100, Tim Bradshaw wrote:

> Although its pathological (and I suspect may not be compliant with
> whatever) at least some platforms allow '=' in environment variable
> names.  I am not sure if this matters.

POSIX doesn't allow '=' in environment variable names.  While BSD
setenv() has traditionally allowed a '=' in the name, it is treated
like the end of string and is not actually stored.

 - todd

More information about the sudo-users mailing list