Simo Kauppi wrote:
On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote:
[EMAIL PROTECTED] wrote:
On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote:
Hi,
Hi,
I just did a security upgrade with Sarge and got installed
sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I get:
(synaptic:25937): Gtk-WARNING **: cannot open display:
This paragraph was in the security announcement posted to
debian-security-announce list:
------------ begin excerpt -----------
This update alters the former behaviour of sudo and limits the number
of supported environment variables to LC_*, LANG, LANGUAGE and TERM.
Additional variables are only passed through when set as env_check in
/etc/sudoers, which might be required for some scripts to continue to
work.
------------- end excerpt ------------
Maybe you need to do something with the DISPLAY variable in
/etc/sudoers. This is just a guess, however.
Thanks! And a good guess. But what?
And this is in the sudoers manpage:
Lists that can be used in a boolean context:
...
env_check
Environment variables to be removed from the user's environment if
the variable's value contains %
or /
characters. This can be used to guard against printf-style format
vulnerabilities in poorly-written programs. The argument may be a
double-quoted, space-separated list or a single value without
double-quotes. The list can be replaced, added to, deleted from, or
disabled by using the =
, +=
, -=
, and !
operators respectively. The default list of environment variables
to check is printed when sudo is run by root with the -V option.
...
Sounds like Greek to me. Can anybody tell me what in fact one should
specify in sudoers?
Thanks!
H
I haven't updated my sudo yet, because it is not yet in etch. I'm
curious though, because at first it seemed very complicated, and it
would be nice to know what to do before I update sudo :)
From the above I think, that DISPLAY is one the environment values,
which is not supported. To add DISPLAY to the list of variables, you
need to put
env_check -= DISPLAY
Makes no diff.
into your /etc/sudoers file, to exclude it from the list of not
supported environment variables.
It seems that by running sudo -V as root, you get the list of variables
which are not passed through.
Gets:
Environment variables to check for sanity:
TERM
LANGUAGE
LANG
LC_*
Environment variables to remove:
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
PS4
SHELLOPTS
CDPATH
IFS
Then again, from the security
announcement I read that only LC_*, LANG, LANGUAGE and TERM are passed
through, so that means that any other variable must be excluded from
the list, if you want them passed through.
But like I said, I haven't tried this myself yet. Let me know how it
goes...
Simo
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
