Re: Sarge sec update: sudo_1.6.8p7-1.3_i386.deb probs

[Hugo Vanwoerkom <hvw59601@care2.com>]

Simo Kauppi wrote:
> On Sat, Jan 21, 2006 at 06:54:21AM -0600, Hugo Vanwoerkom wrote:
> > Simo Kauppi wrote:
> > > On Sat, Jan 21, 2006 at 12:03:26PM +0200, Simo Kauppi wrote:
> > > > On Fri, Jan 20, 2006 at 03:58:30PM -0600, Hugo Vanwoerkom wrote:
> > > > > > On Fri, Jan 20, 2006 at 08:02:33AM -0600, Hugo Vanwoerkom wrote:
> > > > > > > Hi,
> > > > > > > I just did a security upgrade with Sarge and got installed 
> > > > > > > sudo_1.6.8p7-1.3_i386.deb. But when I use sudo to get to synaptic I 
> > > > > > > get:
> > > > > > >
> > > > > > > (synaptic:25937): Gtk-WARNING **: cannot open display:
> > > > > Thanks! And a good guess. But what?
> > > > >
> > > > > And this is in the sudoers manpage:
> > > > >
> > > > > Lists that can be used in a boolean context:
> > > > >
> > > > > ...
> > > > > env_check
> > > > >    Environment variables to be removed from the user's environment if 
> > > > > the variable's value contains %
> > > > >    or /
> > > > >    characters. This can be used to guard against printf-style format 
> > > > > vulnerabilities in poorly-written programs. The argument may be a 
> > > > > double-quoted, space-separated list or a single value without 
> > > > > double-quotes. The list can be replaced, added to, deleted from, or 
> > > > > disabled by using the =
> > > > >    , +=
> > > > >    , -=
> > > > >    , and !
> > > > >    operators respectively. The default list of environment variables 
> > > > > to check is printed when sudo is run by root with the -V option.
> > > > > ...
> > > > >
> > > > > Sounds like Greek to me. Can anybody tell me what in fact one should 
> > > > > specify in sudoers?
> > > > >
> > > > > Thanks!
> > > > >
> > > > > H
> > > In other words, env_check is a list of variables, whose value is
> > > checked, and if they contain a '%' or a '/', they are blocked. So you
> > > need to find out which variable is preventing the use, and put
> > > env_check -= VARIABLE
> > > into the /etc/sudoers, to disable its checking.
> > >
> > > One good guess would be HOME.
> > >
> > > The checking should be totally disabled if you put
> > > env_check =
> > Gets:
> > > > > sudoers file: syntax error, line 12 <<<
> > sudo: parse error in /etc/sudoers near line 12
> >
> > where I put:
> >
> > env_check =
> >
> > > into the /etc/sudoers file (i am guessing here), but I wouldn't
> > > recommend it, as it is a security feature.
> > >
> > > Simo
> > Thanks Simo!
> >
> > Needless to say I am a little surprised that this comes about in Stable 
> > Sarge without further explanations.
> >
> > I filed a bug (349085) which I later retracted and apologized for.
> >
> > Stick with sudo_1.6.8p7-1.2_i386.deb folks!
> >
> > H
>
> Hi,
>
> Don't give up just yet :)
>
> I just upgraded my sudo and re-read the security announcement and the
> manual page.
>
> It seems I interpreted it a little bit wrong...
>
> Check if you have a line
> Defaults env_reset
> or
> Defaults = env_reset

No.

> in your /etc/sudoers. If it is, comment it out or change it to
> Defaults !env_reset

makes no diff.

Defaults:ALL  !env_reset
makes no diff.


> and try again...
>
> In unstable/etch it is left for the admin to add that line into the
> /etc/sudoers. env_reset is actually the parameter, which limits the
> environment variables. env_check is then used to add the desired
> variables.
>
> And the syntax should be
> Defaults env_check += "VARIABLE1 VARIABLE2"
>
> BTW: it is always a good idea to edit the sudoers file with `visudo`,
> which also makes the sanity check.

True.

> Simo

Thanks Simo.