[sudo-users] security bug -- sudo undefines functions in environment

Tim Bradshaw tfb at tfeb.org
Wed Aug 6 08:51:19 MDT 2014

On 6 Aug 2014, at 15:04, Todd C. Miller <Todd.Miller at courtesan.com> wrote:

> POSIX doesn't allow '=' in environment variable names.  While BSD
> setenv() has traditionally allowed a '=' in the name, it is treated
> like the end of string and is not actually stored.

On both a recent Linux (Ubuntu patched to date) and recent OS X you can get things with '=' into the environment.  For instance:

	#!/usr/bin/env perl
	$ENV{"HORRIBLE=THING"} = "horrible";

and you can check that what's in the environment is what it looks like (ie it's not HORRIBLE with a value "THING=horrible").

I'm not claiming that horrors like this are compliant (they clearly are not), or even that sudo needs to care about them as I haven't thought that through at all.  But it might, perhaps, and they definitely can happen.

More information about the sudo-users mailing list