On Sat, Jan 21, 2006 at 12:03:26PM +0200, Simo Kauppi wrote:
On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote:
gcrimp@vcn.bc.ca wrote:
On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote:
Hi,
I just did a security upgrade with Sarge and got installed
sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I get:
(synaptic:25937): Gtk-WARNING **: cannot open display:
This paragraph was in the security announcement posted to
debian-security-announce list:
------------ begin excerpt -----------
This update alters the former behaviour of sudo and limits the number
of supported environment variables to LC_*, LANG, LANGUAGE and TERM.
Additional variables are only passed through when set as env_check in
/etc/sudoers, which might be required for some scripts to continue to
work.
------------- end excerpt ------------
Maybe you need to do something with the DISPLAY variable in
/etc/sudoers. This is just a guess, however.
Thanks! And a good guess. But what?
And this is in the sudoers manpage:
Lists that can be used in a boolean context:
...
env_check
Environment variables to be removed from the user's environment if
the variable's value contains %
or /
characters. This can be used to guard against printf-style format
vulnerabilities in poorly-written programs. The argument may be a
double-quoted, space-separated list or a single value without
double-quotes. The list can be replaced, added to, deleted from, or
disabled by using the =
, +=
, -=
, and !
operators respectively. The default list of environment variables
to check is printed when sudo is run by root with the -V option.
...
Sounds like Greek to me. Can anybody tell me what in fact one should
specify in sudoers?
Thanks!
H
I haven't updated my sudo yet, because it is not yet in etch. I'm
curious though, because at first it seemed very complicated, and it
would be nice to know what to do before I update sudo :)
From the above I think, that DISPLAY is one the environment values,
which is not supported. To add DISPLAY to the list of variables, you
need to put
env_check -= DISPLAY
into your /etc/sudoers file, to exclude it from the list of not
supported environment variables.
It seems that by running sudo -V as root, you get the list of variables
which are not passed through. Then again, from the security
announcement I read that only LC_*, LANG, LANGUAGE and TERM are passed
through, so that means that any other variable must be excluded from
the list, if you want them passed through.
And right after sending this, I realized that the value of the DISPLAY
does not normally contain '%' or '/' characters.
So it is probably some other variable blocking the use.
In other words, env_check is a list of variables, whose value is
checked, and if they contain a '%' or a '/', they are blocked. So you
need to find out which variable is preventing the use, and put
env_check -= VARIABLE
into the /etc/sudoers, to disable its checking.
One good guess would be HOME.
The checking should be totally disabled if you put
env_check =