From e8dc37d798607d77077f0a6f3f151a3f77a88f39 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 9 Jul 2007 23:25:41 +0000 Subject: [PATCH] Better explanation of environment handling in the sudo man page. --- sudo.pod | 55 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 30 insertions(+), 25 deletions(-) diff --git a/sudo.pod b/sudo.pod index 33e9b91ec..64e3c13b8 100644 --- a/sudo.pod +++ b/sudo.pod @@ -344,25 +344,35 @@ unreachable. =head1 SECURITY NOTES -B tries to be safe when executing external commands. Variables -that control how dynamic loading and binding is done can be used -to subvert the program that B runs. To combat this the -C, C<_RLD_*>, C (HP-UX only), and C (AIX -only) environment variables are removed from the environment passed -on to all commands executed. B will also remove the C, -C, C, C, C, C, C, -C, C, C, C, -C, C, C, C and -C variables as they too can pose a threat. If the -C variable is set and is a pathname, it too is ignored. -Additionally, if the C or C variables contain the -C or C<%> characters, they are ignored. Environment variables -with a value beginning with C<()> are also removed as they could -be interpreted as B functions. If B has been -compiled with SecurID support, the C, C and -C variables are cleared as well. The list of environment -variables that B clears is contained in the output of -C when run as root. +B tries to be safe when executing external commands. + +There are two distinct ways to deal with environment variables. +By default, the I I option is enabled. +This causes commands to be executed with a minimal environment +containing C, C, C, C, C, C +and C in addition to variables from the invoking process +permitted by the I and I I options. +There is effectively a whitelist for environment variables. + +If, however, the I option is disabled in I, any +variables not explicitly denied by the I and I +options are inherited from the invoking process. In this case, +I and I behave like a blacklist. Since it +is not possible to blacklist all potentially dangerous environment +variables, use of the default I behavior is encouraged. + +In all cases, environment variables with a value beginning with +C<()> are removed as they could be interpreted as B functions. +The list of environment variables that B allows or denies is +contained in the output of C when run as root. + +Note that the dynamic linker on most operating systems will remove +variables that can control dynamic linking from the environment of +setuid executables, including B. Depending on the operating +system this may include C<_RLD*>, C, C, C, +C, C, and others. These type of variables are +removed from the environment before B even begins execution +and, as such, it is not possible for B to preserve them. To prevent command spoofing, B checks "." and "" (both denoting current directory) last when searching for a command in the user's @@ -370,11 +380,6 @@ PATH (if one or both are in the PATH). Note, however, that the actual C environment variable is I modified and is passed unchanged to the program that B executes. -For security reasons, if your OS supports shared libraries and does -not disable user-defined library search paths for setuid programs -(most do), you should either use a linker option that disables this -behavior or link B statically. - B will check the ownership of its timestamp directory (F<@timedir@> by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than @@ -445,7 +450,7 @@ B utilizes the following environment variables: =head1 FILES @sysconfdir@/sudoers List of who can run what - @timedir@ Directory containing timestamps + @timedir@ Directory containing timestamps =head1 EXAMPLES -- 2.40.0