Bug 18825
Summary: | sudo doesn't clear LANG and LC_ALL | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Manfred Spraul <manfred> |
Component: | sudo | Assignee: | Bernhard Rosenkraenzer <bero> |
Status: | CLOSED DUPLICATE | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2000-10-10 21:39:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Manfred Spraul
2000-10-10 15:39:50 UTC
Why do you think LANG or LC_ALL are dangerous? The glibc bug that let users specify their own locale files translating format strings and stuff has been fixed. sudo itself is safe, but sudo will launch additional programs that aren't setuid
root.
And in your recent security advisory for usermode-1.36 I read:
> The usermode package contains a binary (/usr/bin/userhelper),
> which is used to control access to programs which are to be
> executed as root. Because programs invoked by userhelper
> are not actually running setuid-root, security measures built
> into recent versions of glibc are not active.
s/userhelper/sudo/g
sudo is doing exactly what userhelper is doing.
|