+++ This bug was initially created as a clone of Bug #139478 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041020 Firefox/0.10.1 Description of problem: Please see the URL: http://www.sudo.ws/sudo/alerts/bash_functions.html to see proper description. Version-Release number of selected component (if applicable): sudo-1.6.7p5 How reproducible: Always Steps to Reproduce: To reproduce please follow the description in the "Details:" part of the page. Additional info: Note that this issue can be easily fixed by upgrading sudo to 1.6.8p2. -- Additional comment from bressers on 2004-11-16 08:44 EST -- This issue is not a proper fix, nor should it pose a security issue for users of sudo. The fundamental purpose behind sudo is to give trusted users the ability to perform certain actions as root, without actually having the root password. There are countless other ways to trick sudo into doing things it shouldn't be (hence the word "trusted"). This fix represents a false sense of security and should be considered incomplete at best. If an administrator is worried about untrusted users altering the environment, they should be setting the env_reset variable in the sudoers file. This will clean the whole environment, not just worry about some aliases being set. There are a number of other environment variables that a user can alter to cause a script to have undesired consequences. The real solution to this issue is to set the env_reset variable by default in the installed /etc/sudoers file, and let an administrator unset it if they so desire. We should also leverage the features of selinux to further limit the reach of sudo in order to keep a target system protected. One of the proposed fixes was to have the "env_reset" config option in the sudoers file. The sudo packages should be modified to make this option there by default.