On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
> It's a box of pandora. You can hardly hit all variables.
>
> Bdale, what's your opinion?
One of the workarounds suggested by upstream in the p12 release
announcement is:
Alternately, the administrator can add a line to the top of
sudoers file:
Defaults env_reset
which will reset the environment to only contain the variables
HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
this attack.
My inclination for unstable is to just package p12 and upload it as-is.
It might also be reasonable to add the env_reset entry to the suders
file we create if none already exists? I think I'll do that. But
forcing a change on already-installed systems of that kind certainly
doesn't make sense.
Bdale
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
