Marc Haber wrote:
For unstable "Defaults = env_reset" need to be addeed to /etc/sudoers manually.Why is this only necessary on unstable systems? The security update doesn't seem to add this on stable systems automatically, so it might be necessary to manually add this on stable and testing as well.
It seems to be part of sudo itself on stable: $ sudo -s env TERM=xterm LANG=en_GB.UTF-8 LANGUAGE=en_GB:en PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LOGNAME=root USER=root SUDO_COMMAND=/usr/bin/env SUDO_USER=sam SUDO_UID=1000 SUDO_GID=1000Note that this behaviour differs from the effect of env_reset in sudoers(5). SHELL and HOME(!) are discarded, but they should be reset to 'default values'. LANG, LANGUAGE, and LC_* are passed though, but they should be discarded.
The version in unstable 'fixes' the bug by adding env_reset to the default /etc/sudoers; therefore users who upgrade from stable will re-introduce this security hole unless they alter /etc/sudoers themselves. A NEWS entry should be added to the package in unstable so that those who upgrade know to make this change!
Greetings Marc
-- Sam Morris http://robots.org.uk/ PGP key id 5EA01078 3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078