[sudo-users] security bug -- sudo undefines functions in environment
Tim Bradshaw
tfb at tfeb.org
Thu Aug 7 05:17:44 MDT 2014
On 6 Aug 2014, at 17:00, Todd C. Miller <Todd.Miller at courtesan.com> wrote:
> I believe that these systems store the environment as a tree
> internally.
There are clearly massive bogons here.
Given this crappy program:
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[]) {
int i;
for (i = 1; i < argc; i++) {
char *ei = getenv(argv[i]);
if (ei) {
printf("ENV '%s' = '%s'\n", argv[i], ei);
} else {
printf("NOENV '%s'\n", argv[i]);
}
}
return 0;
}
Then on OS X I can look up PATH, but I can also look up PATH=anything=at-all (and get the value of PATH). On Linux I can only look up PATH: the others fail.
Oh Unix, I love you so much.
More information about the sudo-users
mailing list