[sudo-users] security bug -- sudo undefines functions in environment
Tim Bradshaw
tfb at tfeb.org
Wed Aug 6 08:51:19 MDT 2014
On 6 Aug 2014, at 15:04, Todd C. Miller <Todd.Miller at courtesan.com> wrote:
>
> POSIX doesn't allow '=' in environment variable names. While BSD
> setenv() has traditionally allowed a '=' in the name, it is treated
> like the end of string and is not actually stored.
On both a recent Linux (Ubuntu patched to date) and recent OS X you can get things with '=' into the environment. For instance:
#!/usr/bin/env perl
$ENV{"HORRIBLE=THING"} = "horrible";
system("env");
and you can check that what's in the environment is what it looks like (ie it's not HORRIBLE with a value "THING=horrible").
I'm not claiming that horrors like this are compliant (they clearly are not), or even that sudo needs to care about them as I haven't thought that through at all. But it might, perhaps, and they definitely can happen.
More information about the sudo-users
mailing list