|
Bugzilla – Full Text Bug Listing |
| Summary: | exported bash functions carried through sudo | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Liam Helmer <liam> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | security | CC: | solar |
| Priority: | high | ||
| Version: | 1.6.8 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Attachments: | Patch to strip exported bash functions from the environment. | ||
additional comment: works on 1.6.8-p1 and 1.6.8-p5 Created attachment 32 [details]
Patch to strip exported bash functions from the environment.
Something like the patch attached to this bug will be present in the next sudo release. That was quick ;) Quick testing on this end shows the patch working fine... I'll keep an eye on things and let you know if there's anything else. Are there other formats for other shells to export functions that we should be hunting for too? I know that many of them don't do this, but, might be worth a check. Cheers, Liam |
When you run sudo, and the function being run is in bash, any functions that were exported as the original user are carried over to the new shell. This means that if a bash shell has any unresolved commands (such as "grep", or ifconfig) those commands could be circumvented to do something else by inserting a shell function. Trivial example: Make a bash script as root, and set to excecutable (we'll call it /sbin/testscript): -- #/bin/bash ifconfig -a -- Then, as a user, type the following on the commandline: --- function ifconfig () { cat /etc/shadow } export -f ifconfig ---- then, run the script with sudo ---- sudo /sbin/testscript -------- environment: linux 2.6.8.1 StrongBox Linux (gentoo variant) bash 2.0.5b glibc 2.3.4 (gentoo patches)