[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Why is su preserving the environment?


it has been brought to my attention (through #512803) that su does not
clean the environment at all. This has several security implications:
      * variables like PERL5LIB or GTK_MODULES can be passed to another
        user, leading to unwanted execution of code;
        export authentication information that could be used to obtain
        private information such as passwords in gnome-keyring.

Before I work around this specific issue in the fugliest way, shouldn’t
we prevent su from preserving the environment?

There have been several security advisories related to sudo not cleaning
the environment, and the final call has been to make env_reset the
default. Is there any reason why su should not be considered vulnerable
the same way?

: :' :      We are debian.org. Lower your prices, surrender your code.
`. `'       We will add your hardware and software distinctiveness to
  `-        our own. Resistance is futile.

Attachment: signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

Reply to: