[sudo-users] security bug -- sudo undefines functions in environment

Todd C. Miller Todd.Miller at courtesan.com
Thu Sep 25 15:59:35 MDT 2014

Sudo strips environment variables with values that start with
"() {" regardless of the value of env_reset.  This is the same way
bash matches potential functions in the environment.

For example:

rh7 [~] % env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

rh7 [~] % env x='() { :;}; echo vulnerable' sudo bash -c "echo this is a test"
this is a test

However, if you explicitly add the function in the environment via sudo:

rh7 [~] % sudo x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

Adding arbitrary environment variables this way is only allowed if
the user has "sudo ALL" (in which case there is no extra privilege
obtained) or if the sudoers entry for the user has SETENV enabled.
Being able to set arbitrary environment variables has long been
known to allow for potential command execution with many script
interpreters and other programs so I don't think this is a problem.
Indeed, the sudoers manual says:

    Environment variables set on the command line are not subject
    to the restrictions imposed by env_check, env_delete, or env_keep.
    As such, only trusted users should be allowed to set variables
    in this manner.  If the command matched is ALL, the SETENV tag
    is implied for that command; this default may be overridden by
    use of the NOSETENV tag.

 - todd

More information about the sudo-users mailing list