Re: Bug#762839: bash without importing shell functions from the environment

To: Russ Allbery <rra@debian.org>
Cc: debian developers <debian-devel@lists.debian.org>
Subject: Re: Bug#762839: bash without importing shell functions from the environment
From: Brian May <brian@microcomaustralia.com.au>
Date: Fri, 26 Sep 2014 13:37:48 +1000
Message-id: <[🔎] CAA0ZO6CDaBiRHH=SL=Qkxk13HtYTbYqK451MgxTxy9+Gc3drOw@mail.gmail.com>
In-reply-to: <[🔎] 87a95np1zi.fsf@hope.eyrie.org>
References: <[🔎] 21540.13505.438186.122045@chiark.greenend.org.uk> <[🔎] 20140925162026.GA11755@type.bordeaux.inria.fr> <[🔎] 20140925191758.GA6306@smurf.noris.de> <[🔎] 20140925203900.GT3550@type.youpi.perso.aquilenet.fr> <[🔎] 87oau3mdkv.fsf@vostro.rath.org> <[🔎] CAA0ZO6D4EeQkCSnPuJq0phT_5i=kByqMpBU2v8DGhUHEsnF6PA@mail.gmail.com> <[🔎] 87a95np1zi.fsf@hope.eyrie.org>

On 26 September 2014 12:08, Russ Allbery <rra@debian.org> wrote:

> brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash
> root@aquitard:/home/brian# echo hello
> bar

I think you have that backwards, don't you? Shouldn't that be:

echo='() { /bin/echo bar; }' sudo bash

I think sudo treats both as the same/similar thing.

However, just edited /etc/sudoers and replaced:

%sudo ALL=(ALL:ALL) ALL

with:

%sudo ALL = (ALL:ALL) /home/brian/test.sh

i.e. lets me run only that specific command, and now sudo does sanitize the environment:

brian@aquitard:~$ sudo echo='() { /bin/echo bar; id; }' ./test.sh

sudo: sorry, you are not allowed to set the following environment variables: echo

sudo should stop you from doing things like this unless you've explicitly
told sudo to allow the client to set any environment variable.

Seems to be it is disabled if you allow the client to run any command too.

However, forget my concern for sudo, it doesn't exist.

--
Brian May <brian@microcomaustralia.com.au>

Reply to:

Follow-Ups:
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Mike Hommey <mh@glandium.org>

References:
- bash without importing shell functions from the environment
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Matthias Urlichs <matthias@urlichs.de>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Brian May <brian@microcomaustralia.com.au>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Bug#762839: bash without importing shell functions from the environment
Next by Date: Re: Bug#762839: bash without importing shell functions from the environment
Previous by thread: Re: Bug#762839: bash without importing shell functions from the environment
Next by thread: Re: Bug#762839: bash without importing shell functions from the environment
Index(es):
- Date
- Thread