Bugzilla – Bug 9
Sudo should clear LANGUAGE etc. environment.
Last modified: 2001-12-12 18:05:23 MST
Hi, With the recent format string errors sudo should clear LANGUAGE, LC_xxx, NLSPATH etc. environment, because otherwise a user who can run a program with root privs. can use their own i18n messages from /tmp/LC_MESSAGES. T his pretty much guarantees the user permanent root access because the messages can contain formatting characters (and because the program is run with uid==euid at least glibc loads messages from /tmp/LC_MESSAGES if LANGUAGE=../../../tmp) I realize this is not a sudo 'bug' but I think it would be good idea to protect the admins anyway. -Jarno PS. I marked this as a Linux bug, but this affects other 'Unices' as well.
Just clearing the LANG... etc. env.variables if they contain '/' might be enough, but for the really paranoid just clear them all. For some reference about the format string / locale errors see bugtraq posts about glibc locale/solaris locale etc. (www.securityfocus.com --> vulnerabilities)
I have code to do all this in my current source tree so this will be present in the next release.
Sudo 1.6.4 will include the ability to manipulate the environment including what variables to remove/preserve. By default LANGUAGE and LC_* will be cleared. Expected release date is some time in January depending on how the beta goes.