On Sat, Jan 21, 2006 at 12:03:26PM +0200, Simo Kauppi wrote: > On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote: > > gcrimp@vcn.bc.ca wrote: > > >On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote: > > >>Hi, > > >>I just did a security upgrade with Sarge and got installed > > >>sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I get: > > >> > > >>(synaptic:25937): Gtk-WARNING **: cannot open display: > > > > > >This paragraph was in the security announcement posted to > > >debian-security-announce list: > > > > > >------------ begin excerpt ----------- > > >This update alters the former behaviour of sudo and limits the number > > >of supported environment variables to LC_*, LANG, LANGUAGE and TERM. > > >Additional variables are only passed through when set as env_check in > > >/etc/sudoers, which might be required for some scripts to continue to > > >work. > > >------------- end excerpt ------------ > > > > > >Maybe you need to do something with the DISPLAY variable in > > >/etc/sudoers. This is just a guess, however. > > > > Thanks! And a good guess. But what? > > > > And this is in the sudoers manpage: > > > > Lists that can be used in a boolean context: > > > > ... > > env_check > > Environment variables to be removed from the user's environment if > > the variable's value contains % > > or / > > characters. This can be used to guard against printf-style format > > vulnerabilities in poorly-written programs. The argument may be a > > double-quoted, space-separated list or a single value without > > double-quotes. The list can be replaced, added to, deleted from, or > > disabled by using the = > > , += > > , -= > > , and ! > > operators respectively. The default list of environment variables > > to check is printed when sudo is run by root with the -V option. > > ... > > > > Sounds like Greek to me. Can anybody tell me what in fact one should > > specify in sudoers? > > > > Thanks! > > > > H > > I haven't updated my sudo yet, because it is not yet in etch. I'm > curious though, because at first it seemed very complicated, and it > would be nice to know what to do before I update sudo :) > > From the above I think, that DISPLAY is one the environment values, > which is not supported. To add DISPLAY to the list of variables, you > need to put > env_check -= DISPLAY > into your /etc/sudoers file, to exclude it from the list of not > supported environment variables. > > It seems that by running sudo -V as root, you get the list of variables > which are not passed through. Then again, from the security > announcement I read that only LC_*, LANG, LANGUAGE and TERM are passed > through, so that means that any other variable must be excluded from > the list, if you want them passed through. And right after sending this, I realized that the value of the DISPLAY does not normally contain '%' or '/' characters. So it is probably some other variable blocking the use. In other words, env_check is a list of variables, whose value is checked, and if they contain a '%' or a '/', they are blocked. So you need to find out which variable is preventing the use, and put env_check -= VARIABLE into the /etc/sudoers, to disable its checking. One good guess would be HOME. The checking should be totally disabled if you put env_check = into the /etc/sudoers file (i am guessing here), but I wouldn't recommend it, as it is a security feature. Simo -- :r ~/.signature
Attachment:
signature.asc
Description: Digital signature