Re: "Fix" of sudo with DSA-946-1

To: debian-security@lists.debian.org
Cc: Martin Schulze <joey@infodrom.org>, Bdale Garbee <bdale@gag.com>
Subject: Re: "Fix" of sudo with DSA-946-1
From: Freek Dijkstra <public@macfreek.nl>
Date: Sat, 28 Jan 2006 23:11:21 +0100
Message-id: <[🔎] 43DBEC09.3010809@macfreek.nl>
In-reply-to: <[🔎] 43DBC8F5.2080006@macfreek.nl>
References: <[🔎] 43DBC8F5.2080006@macfreek.nl>

Freek Dijkstra wrote:

The correct action in this case, IMHO, should have been to apply thepatch (of course!), but also add a postinst script, which gives a BIGwarning telling people that they need to change /etc/sudoersThe postinst script by kernel-image-* packages are examples of how itshould have done. I sincerely hope that we will shortly see asudo_1.6.8p7-1.4 which has such a warning.
I also recommend to that a look at bug #349129:
"The new behaviour regarding env sanitising is not reflected in thesudoers or the sudo manpages and there is no news.debian file in thesarge package; one must read the security announcement very precisely
to find out how to deal with the change."


You definitely have to credit Alexander who wrote this report.

Like him, I wonder why the security team did not just add the followingentry to /etc/sudoers:

Defaults = env_reset

I am also surprised that the security team choose to allow otherenvironment variables by default. The fix limits the variables to LC_*,LANG, LANGUAGE and TERM. env_reset, on the other hand limits thevariables to HOME, LOGNAME, PATH, SHELL, TERM, and USER.

There is some discussion with bug #342948, but don't see a compellingreason why to change the list so dramatically in a stable environment.(Note: I fully acknowledge that a white list is much more sensible thenthe blacklist of PERLLIB, PERL5LIB, PERL5OPT, PS4, and SHELLOPTS, as theupstream fix uses [see http://www.sudo.ws/sudo/alerts/]).



My recommend action is to alter the /etc/sudoers file in the following way:
1. Uncomment any existing "Defaults" line
2. Add the line "Defaults env_reset"
3. Add a few lines with common examples how to change the settings to
   allow users to add additional variable, so they can fix it for now
   (apparently) broken packages like synaptic.

Alternatively, if a Defaults line already exists, you can keep it as itis, and outcomment the new "Defaults" line.


Here is the full text I propose to include in /etc/sudoers:

- ---
# To prevent users with limited sudo access to execute arbitrary code
# environment variables are reset by default.
# (see Debian Security Advisory 946 for details.)
# For a explanation of env_reset, env_delete and env_keep,
# see the man page or http://www.sudo.ws/sudo/
# To allow additional environment variable, use env_keep. E.g.:
# Defaults env_reset, env_keep+="XAUTHORITY"
Defaults env_reset
- ---

I just tried writing a sed script to do this, but must admit my sedknowledge is lacking. I apologize for not giving a proposal script.


Regards,
Freek

Reply to:

References:
- "Fix" of sudo with DSA-946-1
  - From: Freek Dijkstra <public@macfreek.nl>

Prev by Date: "Fix" of sudo with DSA-946-1
Next by Date: Re: "Fix" of sudo with DSA-946-1
Previous by thread: "Fix" of sudo with DSA-946-1
Next by thread: Re: "Fix" of sudo with DSA-946-1
Index(es):
- Date
- Thread