Hi again!
Bdale Garbee [2006-01-11 22:04 -0700]:
On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
Bdale, what do you think?
I'm ok with it. Does someone have a patch representing this behavior?
I now finished the first version of the patch [1]. Please note that I
tried to keep
On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
Bdale, what do you think?
I'm ok with it. Does someone have a patch representing this behavior?
What's the current implementation in version 1.6.8p12-1 anyway1?
What upstream shipped for p12, plus env_reset added to sudoers when
Hi!
Bdale Garbee [2006-01-11 22:04 -0700]:
On Wed, 2006-01-11 at 16:38 +0100, Martin Schulze wrote:
Bdale, what do you think?
I'm ok with it. Does someone have a patch representing this behavior?
No, but if we all agree, I'll cook one. I'll report back.
Martin
--
Martin Pitt
Martin Pitt wrote:
I still think that the current sid version is broken: it does nothing
to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
from stable, and for new installations it disables environment passing
Hi Bdale, hi Joey!
I still think that the current sid version is broken: it does nothing
to fix this vulnerability for similar cases (JAVA_TOOL_OPTIONS,
PYTHONHOME, RUBYLIB, etc. pp) in existing installations and upgrades
from stable, and for new installations it disables environment passing
I find myself agreeing with Martin here; this isn't really optimal for
sid, as it doesn't take into account existing installations and
upgrades. Even at the risk of changing behavior, I think this is an
important enough fix to warrant making env_reset the default behavior.
Differentiating
Bdale Garbee wrote:
On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
It's a box of pandora. You can hardly hit all variables.
Bdale, what's your opinion?
One of the workarounds suggested by upstream in the p12 release
announcement is:
Alternately, the administrator
On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
It's a box of pandora. You can hardly hit all variables.
Bdale, what's your opinion?
One of the workarounds suggested by upstream in the p12 release
announcement is:
Alternately, the administrator can add a line to the top of
Moritz Muehlenhoff wrote:
Martin Schulze wrote:
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment. This will preserve language
settings by default, but nothing more.
What do people think about this?
The patch itself looks fine for
Martin Schulze wrote:
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment. This will preserve language
settings by default, but nothing more.
What do people think about this?
The patch itself looks fine for sid (although HOME, LOGNAME,
Moritz Muehlenhoff wrote:
Package: sudo
Severity: important
Tags: security
Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
| The PERL5LIB and PERLLIB environment variables can be used to provide a
list of
| directories in which to look for perl library files before the system
Martin Schulze wrote:
It's been fixed upstream in 1.6.8p12.
This is true, but it becomes rediculous.
Finally allocated some time to develop a minimal patch.
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment. This will preserve language
Martin Schulze wrote:
Martin Schulze wrote:
It's been fixed upstream in 1.6.8p12.
This is true, but it becomes rediculous.
Finally allocated some time to develop a minimal patch.
The attached patch only uses the variables listed in env_check to
be passed to the setuid environment.
Package: sudo
Severity: important
Tags: security
Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
| The PERL5LIB and PERLLIB environment variables can be used to provide a list
of
| directories in which to look for perl library files before the system
directories are
| searched. It
14 matches
Mail list logo