This seems to work and allows me to use ethereal remotely through ssh again.
The for loop was just copied from above and keepit changed to okvar, so this is
pretty simple. We did go through all the bits and if clauses and tested the
result manually. The manual page changes are pretty obvious too.
I did not go through the list of environment variables mentioned on
manual pages and 'sudo -V' when run as root, but perhaps the documentation
is enough as this is only first aid for sarge.
-Mikko
--- sudo-1.6.8p7-1.3/env.c 2006-02-09 12:51:27.280782680 +0200
+++ sudo-1.6.8p7/env.c 2006-02-09 15:15:25.701543112 +0200
@@ -434,6 +434,22 @@
continue;
}
+ /* Add everything listed in env_keep */
+ for (cur = def_env_keep; cur; cur = cur->next) {
+ len = strlen(cur->value);
+ /* Deal with '*' wildcard */
+ if (cur->value[len - 1] == '*') {
+ len--;
+ iswild = 1;
+ } else
+ iswild = 0;
+ if (strncmp(cur->value, *ep, len) == 0 &&
+ (iswild || (*ep)[len] == '=')) {
+ okvar = 1;
+ break;
+ }
+ }
+
/* Skip anything listed in env_delete. */
#if 0
for (cur = def_env_delete; cur && okvar; cur = cur->next) {
--- sudo-1.6.8p7-1.3/sudoers.pod 2006-02-09 12:51:27.000000000 +0200
+++ sudo-1.6.8p7/sudoers.pod 2006-02-09 16:51:03.913202344 +0200
@@ -435,8 +435,8 @@
=item env_reset
-If set, B<sudo> will reset the environment to only contain the
-following variables: C<HOME>, C<LOGNAME>, C<PATH>, C<SHELL>, C<TERM>,
+By default and when set, B<sudo> will reset the environment to only contain the
+following variables: C<LOGNAME>, C<PATH>, C<SHELL>, C<TERM>,
and C<USER> (in addition to the C<SUDO_*> variables).
Of these, only C<TERM> is copied unaltered from the old environment.
The other variables are set to default values (possibly modified
@@ -742,8 +742,8 @@
=item env_check
-Environment variables to be removed from the user's environment if
-the variable's value contains C<%> or C</> characters. This can
+Like I<env_keep>, but listed environment variables are taken from the user's
environment if
+the variable's value does B<not> contain C<%> or C</> characters. This can
be used to guard against printf-style format vulnerabilities in
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
@@ -754,7 +754,10 @@
=item env_delete
-Environment variables to be removed from the user's environment.
+
+Not effective due to security issues: only variables listed in
+I<env_keep> or I<env_check> can be passed through B<sudo>!
+
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
@@ -766,8 +769,8 @@
=item env_keep
-Environment variables to be preserved in the user's environment
-when the I<env_reset> option is in effect. This allows fine-grained
+Environment variables to be preserved in the user's environment.
+This allows fine-grained
control over the environment B<sudo>-spawned processes will receive.
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
@@ -1004,8 +1007,14 @@
is you cannot reference an Alias that has not already been defined.
Below are example I<sudoers> entries. Admittedly, some of
-these are a bit contrived. First, we define our I<aliases>:
+these are a bit contrived. First, we allow a few environment
+variables to pass and then define our I<aliases>:
+ # Run X applications through sudo; HOME is used to find .Xauthority file
+ # Note that some programs may use HOME for other purposes too and
+ # this may lead to privilege escalation!
+ Defaults env_keep = "DISPLAY HOME"
+
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
--- sudo-1.6.8p7-1.3/debian/changelog 2006-02-09 12:51:27.000000000 +0200
+++ sudo-1.6.8p7/debian/changelog 2006-02-09 15:58:24.867450296 +0200
@@ -1,3 +1,11 @@
+sudo (1.6.8p7-1.3.mkr1) stable-security; urgency=low
+
+ * Fix sudo environment variable white listing to respect
+ env_keep so root can knowingly pass users variables through sudo,
+ and try document it in the sudoers manual page
+
+ -- Mikko Rapeli <[EMAIL PROTECTED]> Thu, 9 Feb 2006 15:57:22 +0200
+
sudo (1.6.8p7-1.3) stable-security; urgency=high
* Non-maintainer upload by the Security Team
