Re: Bug#762839: bash without importing shell functions from the environment

To: debian-devel@lists.debian.org
Subject: Re: Bug#762839: bash without importing shell functions from the environment
From: Vincent Lefevre <vincent@vinc17.net>
Date: Fri, 26 Sep 2014 10:53:25 +0200
Message-id: <[🔎] 20140926085325.GB2719@xvii.vinc17.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1411720400.8969.1477.camel@dsp0698014>
References: <[🔎] 20140925162026.GA11755@type.bordeaux.inria.fr> <[🔎] 20140925191758.GA6306@smurf.noris.de> <[🔎] 20140925203900.GT3550@type.youpi.perso.aquilenet.fr> <[🔎] 87oau3mdkv.fsf@vostro.rath.org> <[🔎] CAA0ZO6D4EeQkCSnPuJq0phT_5i=kByqMpBU2v8DGhUHEsnF6PA@mail.gmail.com> <[🔎] 87a95np1zi.fsf@hope.eyrie.org> <[🔎] CAA0ZO6CDaBiRHH=SL=Qkxk13HtYTbYqK451MgxTxy9+Gc3drOw@mail.gmail.com> <[🔎] 87tx3vnhjm.fsf@hope.eyrie.org> <[🔎] CAA0ZO6BmdXVAYcKdaNRr5Wh1bze83B+EtcR-Sy-bKvOyCaSztA@mail.gmail.com> <[🔎] 1411720400.8969.1477.camel@dsp0698014>

On 2014-09-26 10:33:20 +0200, Josselin Mouette wrote:
> Brian May <brian@microcomaustralia.com.au> wrote: 
>         No, I don't think that is the case. I believe sudo interprets
>         those assignments itself (as also shown in man page), and  the
>         error I got clearly shows this to be the case.
>         
>         brian@aquitard:~$ sudo echo='() { /bin/echo bar; id; }'
>          ./test.sh
>         sudo: sorry, you are not allowed to set the following
>         environment variables: echo
>         
>         My understanding is that sudo doesn't invoke any sort of shell
>         unless you expressly tell it to do so.
> 
> 
> Does it also apply to variables that are part of env_keep in sudo?
> For example if you set TZ, PS1 or XAUTHORITY, which are preserved by
> default.

I'm not sure I understand your question. With CVE-2014-6271 fixed,
there are no problems, except for scripts that invoke TZ, PS1 or
XAUTHORITY as commands. This is rather unlikely, since commands
with uppercase letters are not so common (I just know GET, HEAD,
POST, and X).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

References:
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Matthias Urlichs <matthias@urlichs.de>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Brian May <brian@microcomaustralia.com.au>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Brian May <brian@microcomaustralia.com.au>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Brian May <brian@microcomaustralia.com.au>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Josselin Mouette <joss@debian.org>

Prev by Date: Re: bash without importing shell functions from the environment
Next by Date: Re: Bug#762839: bash without importing shell functions from the environment
Previous by thread: Re: Bug#762839: bash without importing shell functions from the environment
Next by thread: Re: Bug#762839: bash without importing shell functions from the environment
Index(es):
- Date
- Thread