Martin Pitt wrote:
> I still think that the current sid version is broken: it does nothing
> to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
> PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
> from stable, and for new installations it disables environment passing
> completely, which breaks lots of scripts and users which/who do
> 'VAR=value sudo foo'.
>
> I discussed this a bit with Matt Zimmerman, Scott Remnant, and Colin
> Watson, and our current agreement is as follows:
>
> * We use Joey's whitelist approach if the user has limited sudo
> access, since it's the only sane long term solution and fixes the
> issue not only for brand new installations.
>
> * If the user has unlimited access anyway (i. e. "ALL" commands),
> then we do not filter out environment variables. The user can shoot
> himself in the foot much easier. And e. g. for developers it does
> indeed make sense to set a library path to a development version in
> his HOME temporarily for testing something.
>
> I would appreciate if Debian and Ubuntu would find a common solution.
> What do you think about this approach?
I believe this is a sane approach.
Bdale, what do you think?
What's the current implementation in version 1.6.8p12-1 anyway1?
Regards,
Joey
--
Never trust an operating system you don't have source for!
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]