On 27/09/12 22:53, Josselin Mouette wrote:
> Le jeudi 27 septembre 2012 à 14:39 -0700, Josh Triplett a écrit :
>> "sudo foo" leaves $HOME set to the user's
>> home directory rather than root
>
> This is a bug in sudo. There can be very dangerous things in $HOME
It's configurable, because each of you can be right in different
situations. I think the Debian default is to clear the environment
(except for a few whitelisted variables like LANG).
If only root-equivalent ("admin") users are allowed to sudo (as seen in
an out-of-the-box Ubuntu installation, or Debian when a user is in the
sudo group), then escalating privileges is a non-issue. In this case,
Josh's version is OK: passing environment variables through doesn't let
the user do anything they couldn't do already.
If certain users are granted sudo access to certain commands but are not
otherwise root-equivalent, then Josselin is right that it's not
generally safe to pass environment variables through: it's likely that
they can subvert those commands by careful choice of environment variables.
S
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/506582d2.90...@debian.org
