On Fri, Sep 26, 2014 at 01:37:48PM +1000, Brian May wrote:
> On 26 September 2014 12:08, Russ Allbery <r...@debian.org> wrote:
> >
> > > brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash
> > > root@aquitard:/home/brian# echo hello
> > > bar
> >
> > I think you have that backwards, don't you? Shouldn't that be:
> >
> > echo='() { /bin/echo bar; }' sudo bash
> >
>
> I think sudo treats both as the same/similar thing.
>
> However, just edited /etc/sudoers and replaced:
>
> %sudo ALL=(ALL:ALL) ALL
>
> with:
>
> %sudo ALL = (ALL:ALL) /home/brian/test.sh
>
> i.e. lets me run only that specific command, and now sudo does sanitize the
> environment:
>
> brian@aquitard:~$ sudo echo='() { /bin/echo bar; id; }' ./test.sh
> sudo: sorry, you are not allowed to set the following environment
> variables: echo
>
>
> sudo should stop you from doing things like this unless you've explicitly
> > told sudo to allow the client to set any environment variable.
> >
>
> Seems to be it is disabled if you allow the client to run any command too.
>
> However, forget my concern for sudo, it doesn't exist.
Note that bash itself has /some/ protection, according to bash -c 'help
set':
-p Turned on whenever the real and effective user ids do not match.
Disables processing of the $ENV file and importing of shell
functions. Turning this option off causes the effective uid and
gid to be set to the real uid and gid.
Mike
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140926043721.ga10...@glandium.org
