Re: Why is su preserving the environment?
On Sat, Jan 24, 2009 at 08:41:37AM +0100, Josselin Mouette wrote:
> it has been brought to my attention (through #512803) that su does not
> clean the environment at all. This has several security implications:
> * variables like PERL5LIB or GTK_MODULES can be passed to another
> user, leading to unwanted execution of code;
> * variables like DBUS_SESSION_BUS_ADDRESS or XDG_SESSION_COOKIE
> export authentication information that could be used to obtain
> private information such as passwords in gnome-keyring.
> Before I work around this specific issue in the fugliest way, shouldn’t
> we prevent su from preserving the environment?
> There have been several security advisories related to sudo not cleaning
> the environment, and the final call has been to make env_reset the
> default. Is there any reason why su should not be considered vulnerable
> the same way?
Because su does not attempt to control what commands are being run; if you
can su to another user, you can run arbitrary commands as that user, which
means there's no sense in trying to filter the environment.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/