Bugzilla – Bug 192
JAVA_TOOL_OPTIONS should be dropped from environment
Last modified: 2005-11-13 14:55:35 MST
Since Java JDK 1.5.0, JAVA_TOOL_OPTIONS can be set in the environment, and it will be picked up and added to the command line of any Java process. This will allow you to run arbitrary code using the -agentpath command-line option, which loads - from an arbitrary filesystem path - an "agent" that is called to initialize itself before any Java code is run. So I think sudo should strip JAVA_TOOL_OPTIONS from the environment!
This will be added to the list of variables to be stripped for the next sudo release
although we're making env_reset the default on gentoo, we have the following variables env_deleted if you're interested: sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file. sudo_bad_var 'FPATH' # ksh, search path for functions. sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?> sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?> # sudo_bad_var 'TMPPREFIX' # zsh, prefix for tmp files. <?> sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?> sudo_bad_var 'PYTHONHOME' # python, module search path. sudo_bad_var 'PYTHONPATH' # python, search path. sudo_bad_var 'PYTHONINSPECT' # python, allow inspection. sudo_bad_var 'RUBYLIB' # ruby, lib load path. sudo_bad_var 'RUBYOPT' # ruby, cl options. # sudo_bad_var 'RUBYPATH' # ruby, script search path. <?> sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
Thanks, I'll add those to the initial bad env list.