Ewen McNeill writes: >In reply to bug 349729 Martin Schulze <[EMAIL PROTECTED]> wrote: >>http://www.debian.org/security/2006/dsa-946 [...] >>[the advisory indicates only LC_*, LANG, LANGUAGE and TERM are passed through] >[ The discussion is now merged into: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349587 >] > >Out of interest what was the rationale for omitting $HOME from this list?
I see that the proposed update noted in bug 349196 (which unfortunately I missed before sending in my earlier comment) restores $HOME to the list of environment variables allowed by default. The Sarge package at: http://klecker.debian.org/~joey/security/sudo/ (referenced from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=349196) seems to work for me, at least to resolve the issue I was having with vim and $HOME/.viminfo. Although curiously the extra variables allowed (HOME, LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER), don't appear in the "sudo -V" list of variables to check; only the original list of variables (in -1.3) appears there. Presumably this means they're being retained unconditionally which may or may not be desirable. Ewen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
