[sudo-users] security bug -- sudo undefines functions in environment

Edgar Matzinger poll at edgar-matzinger.nl
Wed Aug 6 23:54:43 MDT 2014 

Hi Linda,

L. A. Walsh wrote:
> Edgar wrote:
>>
>> PS1='\u@\h:\w\$ '
>> You can also use PROMPT_COMMAND.
> Too limted.
> 
> I have something like:
>    read _CRST <<<"$(tput sgr0)"   #Reset
>    read _CRed <<<"$(tput setaf 1)"  #Red
>     read _CBLD <<<"$(tput bold)"   #Bold
>    declare _prompt_open="" _prompt_close="" _prompt=">"
>    declare _disp_port=${DISPLAY/[^:]*:/}
>    printf -v qUSER "%q" $USER
>    typeset -x qUSER
> 
>    [[ $UID -eq 0 ]] && {
>        _prompt_open="$_CBLD$_CRed"
>        _prompt="#"
>        _prompt_close="$_CRST"
>    }
>    PS1='\['"$_prompt_open"'\]$(spwd "$PWD"
> )'"$_prompt"'\['"$_prompt_close"'\] ';
>      if [[ -n ${REMOTEHOST:-""} ]]; then
>        function titlebar { \
>            printf "\033]1;${qUSER}@${HOSTNAME}:%q\007" "$(spwd "$PWD")" ;\
>         }
>        export -f titlebar
> 
>        PS1='\[$(titlebar)'"$_prompt_open"'\]${HOSTNAME}:$(spwd
> "$PWD")'"$_prompt"'\['"$_prompt_close"'\] '
>    fi
> 

The only difficult part in here is spwd. The rest is easy:

PS1='\[$(tput bold)$(tput setaf 1)\u@\H:\w$([[ $(id -u) -eq 0 ]] && echo
"#" || echo ">")$(tput sgr0)\] '

NB note this is a single line!

Please note that the window title is not set here. You could
add the function 'titlebar' before the first tput.

<snip rather nice, but complicated, spwd function>

> The PS1 prompt also sets my Terminal title w/current dir so I can
> know what window is open to what dir when all are minimized.

To accomplish this, I've created aliases for cd, ssh, sudo and
other commands which may change the title...

> 

> In fact, I  had to setup REMOTEHOST and DISPLAY in pam_env... 

Oh, OK. And specifying them in env_keep didn't work? Strange.

>    No,... like set an envvar readonly to indicate that env-read-only
> functions are defined... they both propagate the same way.
> (aliases don't though)...

I gather you want to save time by not redefining these functions
every time a shell is started? Or don't want to change the
content of those functions?

But the title and prompt functions stay the same, don't they?
So, you could reload them for every new shell.

>> Those can be added to sudoers to be included in the list of
>> variables to be propagated.
> ----
>    Yeah, but the way my distro had pam_env setup, it cleared them by
> default...

Then you have to reconfigure the sudo set up to reflect
your environment. And not rely on the builders of the distro
you're using. What distro are you using BTW?

Kind regards, Edgar.
-- 
Edgar Matzinger                               \\\|///
                                            \\  - -  //
                                             (  @ @  )
-------------------------------------------oOOo-(_)-oOOo------

More information about the sudo-users mailing list