Bug 155

Summary: CDPATH variable is not unset
Product: Sudo Reporter: Jan Ingvoldstad <jani+sudo-bugzilla>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: CLOSED FIXED    
Severity: security    
Priority: normal    
Version: 1.6.6   
Hardware: PC   
OS: Linux   

Description Jan Ingvoldstad 2004-10-18 15:18:50 MDT 
sudo doesn't unset the CDPATH variable, which leads to possible security problems.

It can also cause severe bugs when trying to install, compile or run software
with superuser privileges, for instance:

 - mkinitrd (an sh-script uses cd)
 - kernel compilation (uses cd to build the list of PCI devices et al)
 - emacs with auctex (turns into a fork bomb under the most recent Debian 
   version)

While these problems also may be said to be issues with each package/program,
I think it's only reasonable to expect sudo to take care of CDPATH, since it
already takes care of the following, according to SECURITY NOTES in sudo(8):

LD_*, _RLD_*, IFS, ENV, BASH_ENV, KRB_CONF, KRBCONFDIR, KRBTKFILE,
KRB5_CONFIG, LOCALDOMAIN, RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE,
TERMINFO, TERMINFO_DIRS and TERMPATH


While the reported Platform/OS is PC/Linux, the CDPATH variable is in POSIX, so
it should be independent of platform and OS.


I don't know of any security exploit in the wild, since I'm not aware of any
particular program that depends on this for security.  But given how software
development works, there's bound to be at least ten.  :)
Comment 1 Todd C. Miller 2004-11-11 09:25:38 MST 
The next release of sudo will strip out CDPATH by default.
Comment 2 Peter Pentchev 2004-11-15 04:10:39 MST 
With all due respect, I think that version 1.6.8p2, which mentions CDPATH in the 
release notes and the manual pages, does *not* really unset it :)  Is it 
possible that you missed actually adding CDPATH to the initial_badenv_table[] 
array in env.c?

[roam@snark ~]> whoami
roam
[roam@snark ~]> sudo whoami
root
[roam@snark ~]> sudo -K
[roam@snark ~]> whoami
roam
[roam@snark ~]> sudo whoami
Password:
root
[roam@snark ~]> setenv CDPATH /home/roam
[roam@snark ~]> printenv | fgrep CDPATH
CDPATH=/home/roam
[roam@snark ~]> sudo printenv | fgrep CDPATH
CDPATH=/home/roam
[roam@snark ~]> sudo -V | head -1
Sudo version 1.6.8p2

[root@snark ~]# sudo -V | fgrep PATH
Ignore '.' in $PATH
        TERMPATH
        PATH_LOCALE
        NLSPATH
[root@snark ~]# 

A pretty much one-line patch (adding CDPATH to the initial_badenv_table[] array) 
fixes the problem - CDPATH is no longer set, and is also displayed in the 'sudo 
-V' output.
Comment 3 Todd C. Miller 2004-11-16 14:26:15 MST 
Whoops, I mistakenly only applied the bash function diff and not the CDPATH one.  I've released 1.6.
8p3 which does include the CDPATH diff as well as a fix for systems where _PATH_VAR_TMP does 
not include a trailing slash.