On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote: > It's a box of pandora. You can hardly hit all variables. > > Bdale, what's your opinion?
One of the workarounds suggested by upstream in the p12 release announcement is: Alternately, the administrator can add a line to the top of sudoers file: Defaults env_reset which will reset the environment to only contain the variables HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing this attack. My inclination for unstable is to just package p12 and upload it as-is. It might also be reasonable to add the env_reset entry to the suders file we create if none already exists? I think I'll do that. But forcing a change on already-installed systems of that kind certainly doesn't make sense. Bdale -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]