[sudo-users] security bug -- sudo undefines functions in environment

Todd C. Miller Todd.Miller at courtesan.com
Wed Aug 6 14:07:01 MDT 2014

On Tue, 05 Aug 2014 18:14:18 -0700, "L. A. Walsh" wrote:

> As for what I want -- just add a flag that says "environment preserving
> applies to functions as well" -- then it can work in the whitelist or the
> blacklist case.  I.e. it would have complete forward compatibility (nothing
> new enabled by default), but would allow functions in the environment
> to have the same status as variables.  i.e. either whitelisting by name
> foobar() snore()  andthisonetoo(), or blanket approval and blacklisting if
> someone wants blacklisting.

Due to the way bash stores functions in the environment, you can't
match on "foo()", it is stored in the environment variable "foo"
and the parens are part of the value, not the name.

That is why I am proposing the ability to match on content as well
if the pattern in sudoers includes the '='.  Then it is a simple
matter of matching on "foo=()*".

 - todd

More information about the sudo-users mailing list