[sudo-users] security bug -- sudo undefines functions in environment
Todd C. Miller
Todd.Miller at courtesan.com
Wed Aug 6 10:00:19 MDT 2014
On Wed, 06 Aug 2014 15:51:19 +0100, Tim Bradshaw wrote:
> On both a recent Linux (Ubuntu patched to date) and recent OS X you can get t
> hings with '=' into the environment. For instance:
>
> #!/usr/bin/env perl
> $ENV{"HORRIBLE=THING"} = "horrible";
> system("env");
>
> and you can check that what's in the environment is what it looks like (ie it
> 's not HORRIBLE with a value "THING=horrible").
I believe that these systems store the environment as a tree
internally. However, as soon as you call exec the environment is
flattened. This means that in the process you set the variable you
can resolve "HORRIBLE=THING" but if you run another command as a
child process it can only resolve "HORRIBLE". For instance:
#!/usr/bin/env perl
$ENV{"HORRIBLE=THING"} = "horrible";
system("printenv HORRIBLE");
Yuck.
- todd
More information about the sudo-users
mailing list