Re: vipw and vigr default editor

To: debian-user@lists.debian.org
Subject: Re: vipw and vigr default editor
From: Roberto C. Sánchez <roberto@debian.org>
Date: Fri, 5 Jan 2018 15:46:31 -0500
Message-id: <[🔎] 20180105204631.j5xjfusuagmj5x7a@camaguey.connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] 49884f45-25fe-25b2-2f10-cd3949890fda@u-v.de>
References: <[🔎] d0e0cf7d-e303-3d55-2d13-97eb8675f34a@bluemarble.net> <[🔎] 20180105201535.xvzg4p2tw2qjkul5@eeg.ccf.org> <[🔎] 49884f45-25fe-25b2-2f10-cd3949890fda@u-v.de>

On Fri, Jan 05, 2018 at 09:37:16PM +0100, Ulf Volmer wrote:
> 
> That basically keeps the *whole* environment, what is usually a security
> issue. Better solution is to keep only needed and proved environment
> variables using
> 
> Defaults  env_keep += "EDITOR"
> 
Allowing the EDITOR variable through is a gigantic security issue.  Its
value gets passed as a command to the shell:

roberto@debian:~$ sudo EDITOR='echo "I have the power!"' vipw
I have the power! /etc/passwd.edit
vipw: /etc/passwd is unchanged

There is essentially no functional difference between allowing only the
EDITOR variable and any arbitrary environment variable.  Allowing EDITOR
(or PAGER, or any other thing that sets the name of a command to
execute) through to sudo provides an effective route to bypass any sudo
restrictions.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: vipw and vigr default editor
  - From: Ulf Volmer <u.volmer@u-v.de>

References:
- vipw and vigr default editor
  - From: John Ratliff <john@bluemarble.net>
- Re: vipw and vigr default editor
  - From: Greg Wooledge <wooledg@eeg.ccf.org>
- Re: vipw and vigr default editor
  - From: Ulf Volmer <u.volmer@u-v.de>

Prev by Date: Re: vipw and vigr default editor
Next by Date: Re: vipw and vigr default editor
Previous by thread: Re: vipw and vigr default editor
Next by thread: Re: vipw and vigr default editor
Index(es):
- Date
- Thread