Re: Sarge sec update: sudo_1.6.8p7-1.3_i386.deb probs

[Hugo Vanwoerkom <hvw59601@care2.com>]

Simo Kauppi wrote:
> On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote:
> > gcrimp@vcn.bc.ca wrote:
> > > On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote:
> > > > Hi,
>
> Hi,
>
> > > > I just did a security upgrade with Sarge and got installed 
> > > > sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I get:
> > > >
> > > > (synaptic:25937): Gtk-WARNING **: cannot open display:
> > > This paragraph was in the security announcement posted to
> > > debian-security-announce list:
> > >
> > > ------------ begin excerpt -----------
> > > This update alters the former behaviour of sudo and limits the number
> > > of supported environment variables to LC_*, LANG, LANGUAGE and TERM.
> > > Additional variables are only passed through when set as env_check in
> > > /etc/sudoers, which might be required for some scripts to continue to
> > > work.
> > > ------------- end excerpt ------------
> > >
> > > Maybe you need to do something with the DISPLAY	variable in 
> > > /etc/sudoers. This is just a guess, however.
> > Thanks! And a good guess. But what?
> >
> > And this is in the sudoers manpage:
> >
> > Lists that can be used in a boolean context:
> >
> > ...
> > env_check
> >     Environment variables to be removed from the user's environment if 
> > the variable's value contains %
> >     or /
> >     characters. This can be used to guard against printf-style format 
> > vulnerabilities in poorly-written programs. The argument may be a 
> > double-quoted, space-separated list or a single value without 
> > double-quotes. The list can be replaced, added to, deleted from, or 
> > disabled by using the =
> >     , +=
> >     , -=
> >     , and !
> >     operators respectively. The default list of environment variables 
> > to check is printed when sudo is run by root with the -V option.
> > ...
> >
> > Sounds like Greek to me. Can anybody tell me what in fact one should 
> > specify in sudoers?
> >
> > Thanks!
> >
> > H
>
> I haven't updated my sudo yet, because it is not yet in etch. I'm
> curious though, because at first it seemed very complicated, and it
> would be nice to know what to do before I update sudo :)
>
> From the above I think, that DISPLAY is one the environment values,
> which is not supported. To add DISPLAY to the list of variables, you
> need to put
> env_check -= DISPLAY

Makes no diff.

> into your /etc/sudoers file, to exclude it from the list of not
> supported environment variables.
>
> It seems that by running sudo -V as root, you get the list of variables
> which are not passed through. 

Gets:
Environment variables to check for sanity:
        TERM
        LANGUAGE
        LANG
        LC_*
Environment variables to remove:
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        PS4
        SHELLOPTS
        CDPATH
        IFS


Then again, from the security
> announcement I read that only LC_*, LANG, LANGUAGE and TERM are passed
> through, so that means that any other variable must be excluded from
> the list, if you want them passed through.
>
> But like I said, I haven't tried this myself yet. Let me know how it
> goes...
>
> Simo