[sudo-users] security bug -- sudo undefines functions in environment

L. A. Walsh sudo at tlinx.org
Sat Aug 9 21:11:53 MDT 2014 

Edgar Matzinger wrote:
>
> Oh, OK. And specifying them in env_keep didn't work? Strange.
It might work now, but there were specific places like when it asked for
a new session that it ignored requests to preserve the environment.

It's in the suse bug data base somewhere, or possibly split to the
discussion groups... as some get discussed multiple times in both places.

I've reported many problems, some posted with solutions, but generally
they don't want to hear it.

A simple example -- making vim/gvim using dynamic loading on python, perl,
ruby and maybe one other that it allows scripting in.  It's been done that
way on windows for years -- if you didn't use one of those you didn't need
it on your system.   Not on suse.  I even attached the build changes in
the rpm to do it -- IT's IN the standard VIM BUILD!, but they refuse.
I mention that if a library is missing, or if soemone wants to upgrade one
of those interpreters, then vim won't work -- it's more important to have
a text editor that works than have all those built-in.  But the attitude
there is to build-in "traps" like a broken editor if you do something you
aren't supposed to -- like upgrade your perl to solve a bug.  Not
supported!  (And I know enough to recompile extensions w/a perl upgrade)..

>>    No,... like set an envvar readonly to indicate that env-read-only
>> functions are defined... they both propagate the same way.
>> (aliases don't though)...
>
> I gather you want to save time by not redefining these functions
> every time a shell is started? Or don't want to change the
> content of those functions?
----
    Both... want to define them read-only and not have them read in with 
each
subshell.


>
> But the title and prompt functions stay the same, don't they?
> So, you could reload them for every new shell.
>
>>> Those can be added to sudoers to be included in the list of
>>> variables to be propagated.
>> ----
>>    Yeah, but the way my distro had pam_env setup, it cleared them by
>> default...
>
> Then you have to reconfigure the sudo set up to reflect
> your environment. And not rely on the builders of the distro
> you're using. What distro are you using BTW?
----
    Well... tried that and found no way to make the !env_reset, apply to 
functions.

    Thus I protested.

    If it was configurable, I wouldn't mind, but the alternative is me 
patching
sudo again (was for a different reason, but had patched it in the past 
for some other
reason).... and I get tired of carrying forward so many patches.

(Distro=opensuse -- though bastardized... running 13.1 w/o systemd... 
(shame on me!)

More information about the sudo-users mailing list