[sudo-users] security bug -- sudo undefines functions in environment
Todd C. Miller
Todd.Miller at courtesan.com
Thu Sep 25 15:59:35 MDT 2014
Sudo strips environment variables with values that start with
"() {" regardless of the value of env_reset. This is the same way
bash matches potential functions in the environment.
For example:
rh7 [~] % env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
rh7 [~] % env x='() { :;}; echo vulnerable' sudo bash -c "echo this is a test"
this is a test
However, if you explicitly add the function in the environment via sudo:
rh7 [~] % sudo x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
Adding arbitrary environment variables this way is only allowed if
the user has "sudo ALL" (in which case there is no extra privilege
obtained) or if the sudoers entry for the user has SETENV enabled.
Being able to set arbitrary environment variables has long been
known to allow for potential command execution with many script
interpreters and other programs so I don't think this is a problem.
Indeed, the sudoers manual says:
Environment variables set on the command line are not subject
to the restrictions imposed by env_check, env_delete, or env_keep.
As such, only trusted users should be allowed to set variables
in this manner. If the command matched is ALL, the SETENV tag
is implied for that command; this default may be overridden by
use of the NOSETENV tag.
- todd
More information about the sudo-users
mailing list