Mailinglist Archive: opensuse-bugs (15851 mails)

< Previous Next >
[Bug 145687] sudo clobbers path
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Mon, 20 Aug 2007 02:38:50 -0600 (MDT)
  • Message-id: <20070820083850.DA685CC792@xxxxxxxxxxxxxxxxxxxxxx>
https://bugzilla.novell.com/show_bug.cgi?id=145687#c16


Marcus Meissner <meissner@xxxxxxxxxx> changed:

           What    |Removed                                         |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                                        |NEW
      Info Provider|security-team@xxxxxxx                           |




--- Comment #16 from Marcus Meissner <meissner@xxxxxxxxxx>  2007-08-20 02:38:50 MST ---
While Ludwig only showed up briefly today, he had the following statement
(I hope I have it correctly).

Allowing unprotected/unchecked PATH or other environment variables by
default makes holes into sudo, because there are then ways to break out
of the predefined applications, allowing the user to become root.


The various sudo security updates we did over the time were all "interesting"
environment variables being passed, which could be used to do such an escape.

For local use, you can use env_keep I guess.


-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >