Re: Sarge sec update: sudo_1.6.8p7-1.3_i386.deb probs

[Hugo Vanwoerkom <hvw59601@care2.com>]

gcrimp@vcn.bc.ca wrote:
> On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote:
> > Hi,
> >
> > I just did a security upgrade with Sarge and got installed 
> > sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I get:
> >
> > (synaptic:25937): Gtk-WARNING **: cannot open display:
> >
> > When I then reinstalled the previous version:
> >
> > sudo_1.6.8p7-1.2_i386.deb
> >
> > The problem goes away.
>
> This paragraph was in the security announcement posted to
> debian-security-announce list:
>
> ------------ begin excerpt -----------
> This update alters the former behaviour of sudo and limits the number
> of supported environment variables to LC_*, LANG, LANGUAGE and TERM.
> Additional variables are only passed through when set as env_check in
> /etc/sudoers, which might be required for some scripts to continue to
> work.
> ------------- end excerpt ------------
>
> Maybe you need to do something with the DISPLAY	variable in /etc/sudoers. 
> This is just a guess, however.

Thanks! And a good guess. But what?

Right now sudoers contains:
Cmnd_Alias DD = /usr/sbin/synaptic

And this is in the sudoers manpage:

Lists that can be used in a boolean context:

...
env_check
    Environment variables to be removed from the user's environment if 
the variable's value contains %
    or /
    characters. This can be used to guard against printf-style format 
vulnerabilities in poorly-written programs. The argument may be a 
double-quoted, space-separated list or a single value without 
double-quotes. The list can be replaced, added to, deleted from, or 
disabled by using the =
    , +=
    , -=
    , and !
    operators respectively. The default list of environment variables 
to check is printed when sudo is run by root with the -V option.
...

Sounds like Greek to me. Can anybody tell me what in fact one should 
specify in sudoers?

Thanks!

H