Brian May <[email protected]> writes:
> I thought sudo was suppose to be ok, sure doesn't look ok to me.
> brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash
> root@aquitard:/home/brian# echo hello
> bar
I think you have that backwards, don't you? Shouldn't that be:
echo='() { /bin/echo bar; }' sudo bash
if you're testing whether sudo sanitizes the environment?
I believe the syntax that you're using runs the command:
echo='() { /bin/echo bar; }' bash
under sudo. If you have all-command sudo privileges, you can indeed run
whatever you want via sudo, including commands that set various
interesting environment variables. :)
sudo should stop you from doing things like this unless you've explicitly
told sudo to allow the client to set any environment variable.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: https://lists.debian.org/[email protected]
