+++ This bug was initially created as a clone of Bug #174825 +++ Description of problem: By setting one of various environement variables to "valid" but yet "invalid" values and then running service through sudo, one can gain a root shell as a normal user. Version-Release number of selected component (if applicable): 7.31.18.EL How reproducible: Always Steps to Reproduce: 1. Run the following command: TERM=â$TERM /bin/bash âc /bin/bashâ sudo /sbin/service network status Note the actual service and option for the service really doen't matter. Actual results: Instant root shell. Expected results: No root shell. Additional info: The problem, and there may be others is that environment variables when expanded in the service script are not quoted. Here is the particular offending line in this case: env -i LANG=$LANG PATH=$PATH TERM=$TERM "${SERVICEDIR}/${SERVICE}" ${OPTIONS} If the vars were quoted as in: env -i LANG="$LANG" PATH="$PATH" TERM="$TERM" "${SERVICEDIR}/${SERVICE}" ${OPTIONS} then this exploit would not be possible (save maybe with some didling of IFS). The problem is mitigated by the fact that one has to configure something like sudo to allow a user to run service in some fashion, and also in that the problem can be side stepped by having the sudo entry run something that runs service that properly cleans the environment before execing service.
Fixed in 7.93.23.EL-1.
Lifting embargo.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0016.html