-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The '/etc/sudoers' now has this paragraph:
# prevent environment variables from influencing programs in an
# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158,
# CVE-2006-0151)
Defaults always_set_home
Defaults env_reset
The 'env_reset' does this (man sudoers):
env_reset If set, sudo will reset the environment to only contain
the following variables: HOME, LOGNAME, PATH, SHELL,
TERM, and USER (in addition to the SUDO_* variables).
Of these, only TERM is copied unaltered from the old
environment. The other variables are set to default
values (possibly modified by the value of the
set_logname option). If sudo was compiled with the
SECURE_PATH option, its value will be used for the PATH
environment variable. Other variables may be preserved
with the env_keep option.
How insecure is this setting? I mean, how insecure would be removing it?
It erases variables that I need, like "EDITOR".
I have solved my problem using in the sudoers file:
Defaults env_keep=EDITOR
But I will have to define more variables - and precisely that "editor"
one, being a command, is one of those they consider dangerous, I guess.
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQFF2OSStTMYHG2NR9URAhoyAJ9FicRLMiTrnrycoUrWIwwWxPE61QCbBUx4
mXpSFSWBBJMYP8iIy9d2dr8=
=9gLg
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
