Package: sudo Version: 1.7.2p1-1 Severity: minor Tags: patch
The visudo manpage in Lenny contains some Debian-specific text regarding the choice of editor: "On Debian systems, this list defaults to /usr/bin/editor, which is meant to be a system-wide default editor chosen through the alternatives system." "Despite this potential risk, sudo on Debian is compiled with the --with-enveditor flag" However, this is missing in the sid version. It *is* present in the source package's visudo.man.in, but at build time this is regenerated from visudo.pod, which was not changed. The attached patch adds the text to the POD. It also fixes a minor error (--with-enveditor should be --with-env-editor). It might also be worthwhile to stop patching the .man.in, since it will be regenerated at build time anyway. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-openvz-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sudo depends on: ii libc6 2.10.1-5 GNU C Library: Shared libraries ii libpam-modules 1.1.0-4 Pluggable Authentication Modules f ii libpam0g 1.1.0-4 Pluggable Authentication Modules l sudo recommends no packages. sudo suggests no packages. -- no debconf information
--- sudo-1.7.2p1/visudo.pod 2008-11-15 13:34:01.000000000 -0500 +++ sudo-1.7.2p1-manpage/visudo.pod 2009-11-07 18:54:00.841321731 -0500 @@ -39,15 +39,18 @@ There is a hard-coded list of editors that B<visudo> will use set at compile-time that may be overridden via the I<editor> I<sudoers> -C<Default> variable. This list defaults to the path to L<vi(1)> on -your system, as determined by the I<configure> script. Normally, +C<Default> variable. On Debian systems, this list defaults to +/usr/bin/editor, which is meant to be a system-wide default editor +chosen through the alternatives system. Normally, B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment variables unless they contain an editor in the aforementioned editors -list. However, if B<visudo> is configured with the I<--with-enveditor> +list. However, if B<visudo> is configured with the I<--with-env-editor> option or the I<env_editor> C<Default> variable is set in I<sudoers>, B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting C<VISUAL> or C<EDITOR>. +Despite this potential risk, sudo on Debian is compiled with the +I<--with-env-editor> flag. B<visudo> parses the I<sudoers> file after the edit and will not save the changes if there is a syntax error. Upon finding