On Sat, Jan 21, 2006 at 06:54:21AM -0600, Hugo Vanwoerkom wrote: > Simo Kauppi wrote: > >On Sat, Jan 21, 2006 at 12:03:26PM +0200, Simo Kauppi wrote: > >>On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote: > >>>>On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote: > >>>>>Hi, > >>>>>I just did a security upgrade with Sarge and got installed > >>>>>sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I > >>>>>get: > >>>>> > >>>>>(synaptic:25937): Gtk-WARNING **: cannot open display: > >>>Thanks! And a good guess. But what? > >>> > >>>And this is in the sudoers manpage: > >>> > >>>Lists that can be used in a boolean context: > >>> > >>>... > >>>env_check > >>> Environment variables to be removed from the user's environment if > >>>the variable's value contains % > >>> or / > >>> characters. This can be used to guard against printf-style format > >>>vulnerabilities in poorly-written programs. The argument may be a > >>>double-quoted, space-separated list or a single value without > >>>double-quotes. The list can be replaced, added to, deleted from, or > >>>disabled by using the = > >>> , += > >>> , -= > >>> , and ! > >>> operators respectively. The default list of environment variables > >>>to check is printed when sudo is run by root with the -V option. > >>>... > >>> > >>>Sounds like Greek to me. Can anybody tell me what in fact one should > >>>specify in sudoers? > >>> > >>>Thanks! > >>> > >>>H > > > >In other words, env_check is a list of variables, whose value is > >checked, and if they contain a '%' or a '/', they are blocked. So you > >need to find out which variable is preventing the use, and put > >env_check -= VARIABLE > >into the /etc/sudoers, to disable its checking. > > > >One good guess would be HOME. > > > >The checking should be totally disabled if you put > >env_check = > > Gets: > >>> sudoers file: syntax error, line 12 <<< > sudo: parse error in /etc/sudoers near line 12 > > where I put: > > env_check = > > >into the /etc/sudoers file (i am guessing here), but I wouldn't > >recommend it, as it is a security feature. > > > >Simo > > Thanks Simo! > > Needless to say I am a little surprised that this comes about in Stable > Sarge without further explanations. > > I filed a bug (349085) which I later retracted and apologized for. > > Stick with sudo_1.6.8p7-1.2_i386.deb folks! > > H
Hi, Don't give up just yet :) I just upgraded my sudo and re-read the security announcement and the manual page. It seems I interpreted it a little bit wrong... Check if you have a line Defaults env_reset or Defaults = env_reset in your /etc/sudoers. If it is, comment it out or change it to Defaults !env_reset and try again... In unstable/etch it is left for the admin to add that line into the /etc/sudoers. env_reset is actually the parameter, which limits the environment variables. env_check is then used to add the desired variables. And the syntax should be Defaults env_check += "VARIABLE1 VARIABLE2" BTW: it is always a good idea to edit the sudoers file with `visudo`, which also makes the sanity check. Simo -- :r ~/.signature
signature.asc
Description: Digital signature
