Red Hat Bugzilla – Bug 18825
sudo doesn't clear LANG and LC_ALL
Last modified: 2007-04-18 12:29:11 EDT
The subject explains the problem:
* sudo can be used to execute programs as root in a controlled fashion.
* sudo tries to remove dangerous environment variables such as IFS or LD_?
* neither LANG nor LC_ALL are cleared, but they are dangerous.
Could someone check if this is a bug?
Why do you think LANG or LC_ALL are dangerous? The glibc bug that let users
specify their own locale files translating format strings and stuff has been
sudo itself is safe, but sudo will launch additional programs that aren't setuid
And in your recent security advisory for usermode-1.36 I read:
> The usermode package contains a binary (/usr/bin/userhelper),
> which is used to control access to programs which are to be
> executed as root. Because programs invoked by userhelper
> are not actually running setuid-root, security measures built
> into recent versions of glibc are not active.
sudo is doing exactly what userhelper is doing.
*** This bug has been marked as a duplicate of 18878 ***