From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041020 Firefox/0.10.1 Description of problem: Please see the URL: http://www.sudo.ws/sudo/alerts/bash_functions.html to see proper description. Version-Release number of selected component (if applicable): sudo-1.6.7p5 How reproducible: Always Steps to Reproduce: To reproduce please follow the description in the "Details:" part of the page. Additional info: Note that this issue can be easily fixed by upgrading sudo to 1.6.8p2.
This issue is not a proper fix, nor should it pose a security issue for users of sudo. The fundamental purpose behind sudo is to give trusted users the ability to perform certain actions as root, without actually having the root password. There are countless other ways to trick sudo into doing things it shouldn't be (hence the word "trusted"). This fix represents a false sense of security and should be considered incomplete at best. If an administrator is worried about untrusted users altering the environment, they should be setting the env_reset variable in the sudoers file. This will clean the whole environment, not just worry about some aliases being set. There are a number of other environment variables that a user can alter to cause a script to have undesired consequences. The real solution to this issue is to set the env_reset variable by default in the installed /etc/sudoers file, and let an administrator unset it if they so desire. We should also leverage the features of selinux to further limit the reach of sudo in order to keep a target system protected.
*** Bug 182390 has been marked as a duplicate of this bug. ***
*** Bug 175403 has been marked as a duplicate of this bug. ***
*** Bug 175295 has been marked as a duplicate of this bug. ***
*** Bug 175297 has been marked as a duplicate of this bug. ***
Statement for NVD: If an administrator is concerned that users who have been granted sudo privileges can alter the environment, the existing "env_reset" option should be used which cleans the whole environment.