Simo Kauppi wrote:
On Sat, Jan 21, 2006 at 06:54:21AM -0600, Hugo Vanwoerkom wrote:
Simo Kauppi wrote:
On Sat, Jan 21, 2006 at 12:03:26PM +0200, Simo Kauppi wrote:
On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote:
On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote:
Hi,
I just did a security upgrade with Sarge and got installed
sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I
get:
(synaptic:25937): Gtk-WARNING **: cannot open display:
Thanks! And a good guess. But what?
And this is in the sudoers manpage:
Lists that can be used in a boolean context:
...
env_check
Environment variables to be removed from the user's environment if
the variable's value contains %
or /
characters. This can be used to guard against printf-style format
vulnerabilities in poorly-written programs. The argument may be a
double-quoted, space-separated list or a single value without
double-quotes. The list can be replaced, added to, deleted from, or
disabled by using the =
, +=
, -=
, and !
operators respectively. The default list of environment variables
to check is printed when sudo is run by root with the -V option.
...
Sounds like Greek to me. Can anybody tell me what in fact one should
specify in sudoers?
Thanks!
H
In other words, env_check is a list of variables, whose value is
checked, and if they contain a '%' or a '/', they are blocked. So you
need to find out which variable is preventing the use, and put
env_check -= VARIABLE
into the /etc/sudoers, to disable its checking.
One good guess would be HOME.
The checking should be totally disabled if you put
env_check =
Gets:
sudoers file: syntax error, line 12 <<<
sudo: parse error in /etc/sudoers near line 12
where I put:
env_check =
into the /etc/sudoers file (i am guessing here), but I wouldn't
recommend it, as it is a security feature.
Simo
Thanks Simo!
Needless to say I am a little surprised that this comes about in Stable
Sarge without further explanations.
I filed a bug (349085) which I later retracted and apologized for.
Stick with sudo_1.6.8p7-1.2_i386.deb folks!
H
Hi,
Don't give up just yet :)
I just upgraded my sudo and re-read the security announcement and the
manual page.
It seems I interpreted it a little bit wrong...
Check if you have a line
Defaults env_reset
or
Defaults = env_reset
No.
in your /etc/sudoers. If it is, comment it out or change it to
Defaults !env_reset
makes no diff.
Defaults:ALL !env_reset
makes no diff.
and try again...
In unstable/etch it is left for the admin to add that line into the
/etc/sudoers. env_reset is actually the parameter, which limits the
environment variables. env_check is then used to add the desired
variables.
And the syntax should be
Defaults env_check += "VARIABLE1 VARIABLE2"
BTW: it is always a good idea to edit the sudoers file with `visudo`,
which also makes the sanity check.
True.
Simo
Thanks Simo.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
