On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote: > gcrimp@vcn.bc.ca wrote: > >On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote: > >>Hi, Hi, > >>I just did a security upgrade with Sarge and got installed > >>sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I get: > >> > >>(synaptic:25937): Gtk-WARNING **: cannot open display: > > > >This paragraph was in the security announcement posted to > >debian-security-announce list: > > > >------------ begin excerpt ----------- > >This update alters the former behaviour of sudo and limits the number > >of supported environment variables to LC_*, LANG, LANGUAGE and TERM. > >Additional variables are only passed through when set as env_check in > >/etc/sudoers, which might be required for some scripts to continue to > >work. > >------------- end excerpt ------------ > > > >Maybe you need to do something with the DISPLAY variable in > >/etc/sudoers. This is just a guess, however. > > Thanks! And a good guess. But what? > > And this is in the sudoers manpage: > > Lists that can be used in a boolean context: > > ... > env_check > Environment variables to be removed from the user's environment if > the variable's value contains % > or / > characters. This can be used to guard against printf-style format > vulnerabilities in poorly-written programs. The argument may be a > double-quoted, space-separated list or a single value without > double-quotes. The list can be replaced, added to, deleted from, or > disabled by using the = > , += > , -= > , and ! > operators respectively. The default list of environment variables > to check is printed when sudo is run by root with the -V option. > ... > > Sounds like Greek to me. Can anybody tell me what in fact one should > specify in sudoers? > > Thanks! > > H I haven't updated my sudo yet, because it is not yet in etch. I'm curious though, because at first it seemed very complicated, and it would be nice to know what to do before I update sudo :) From the above I think, that DISPLAY is one the environment values, which is not supported. To add DISPLAY to the list of variables, you need to put env_check -= DISPLAY into your /etc/sudoers file, to exclude it from the list of not supported environment variables. It seems that by running sudo -V as root, you get the list of variables which are not passed through. Then again, from the security announcement I read that only LC_*, LANG, LANGUAGE and TERM are passed through, so that means that any other variable must be excluded from the list, if you want them passed through. But like I said, I haven't tried this myself yet. Let me know how it goes... Simo -- :r ~/.signature
Attachment:
signature.asc
Description: Digital signature