Bug 192

Summary:	JAVA_TOOL_OPTIONS should be dropped from environment
Product:	Sudo	Reporter:	Robin Green <greenrd>
Component:	Sudo	Assignee:	Todd C. Miller <Todd.Miller>
Status:	RESOLVED FIXED
Severity:	security
Priority:	high
Version:	1.6.8
Hardware:	All
OS:	All

Description Robin Green 2005-08-04 08:43:24 MDT

Since Java JDK 1.5.0, JAVA_TOOL_OPTIONS can be set in the environment, and it
will be picked up and added to the command line of any Java process.

This will allow you to run arbitrary code using the -agentpath command-line
option, which loads - from an arbitrary filesystem path - an "agent" that is
called to initialize itself before any Java code is run.

So I think sudo should strip JAVA_TOOL_OPTIONS from the environment!

Comment 1 Todd C. Miller 2005-10-28 12:58:12 MDT

This will be added to the list of variables to be stripped for the next sudo release

Comment 2 Tavis Ormandy 2005-11-12 05:19:31 MST

although we're making env_reset the default on gentoo, we have the following 
variables env_deleted if you're interested:

        sudo_bad_var 'PERLIO_DEBUG'   # perl, write debug to file.
        sudo_bad_var 'FPATH'          # ksh, search path for functions.
        sudo_bad_var 'NULLCMD'        # zsh, command on null-redir. <?>
        sudo_bad_var 'READNULLCMD'    # zsh, command on null-redir. <?>
#       sudo_bad_var 'TMPPREFIX'      # zsh, prefix for tmp files. <?>
        sudo_bad_var 'GLOBIGNORE'     # bash, glob paterns to ignore. <?>
        sudo_bad_var 'PYTHONHOME'     # python, module search path.
        sudo_bad_var 'PYTHONPATH'     # python, search path.
        sudo_bad_var 'PYTHONINSPECT'  # python, allow inspection.
        sudo_bad_var 'RUBYLIB'        # ruby, lib load path.
        sudo_bad_var 'RUBYOPT'        # ruby, cl options.
#       sudo_bad_var 'RUBYPATH'       # ruby, script search path. <?>
        sudo_bad_var 'ZDOTDIR'        # zsh, path to search for dotfiles.

Comment 3 Todd C. Miller 2005-11-13 12:55:35 MST

Thanks, I'll add those to the initial bad env list.