[sudo-users] security bug -- sudo undefines functions in environment

Todd C. Miller Todd.Miller at courtesan.com
Wed Aug 6 10:00:19 MDT 2014

On Wed, 06 Aug 2014 15:51:19 +0100, Tim Bradshaw wrote:

> On both a recent Linux (Ubuntu patched to date) and recent OS X you can get t
> hings with '=' into the environment.  For instance:
> 	#!/usr/bin/env perl
> 	$ENV{"HORRIBLE=THING"} = "horrible";
>  	system("env");
> and you can check that what's in the environment is what it looks like (ie it
> 's not HORRIBLE with a value "THING=horrible").

I believe that these systems store the environment as a tree
internally.  However, as soon as you call exec the environment is
flattened.  This means that in the process you set the variable you
can resolve "HORRIBLE=THING" but if you run another command as a
child process it can only resolve "HORRIBLE".  For instance:

    #!/usr/bin/env perl
    $ENV{"HORRIBLE=THING"} = "horrible";
    system("printenv HORRIBLE");


 - todd

More information about the sudo-users mailing list