Brian May <br...@microcomaustralia.com.au> writes:
> I thought sudo was suppose to be ok, sure doesn't look ok to me.
> brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash
> root@aquitard:/home/brian# echo hello
> bar
I think you have that backwards, don't you? Shouldn't that be:
echo='() { /bin/echo bar; }' sudo bash
if you're testing whether sudo sanitizes the environment?
I believe the syntax that you're using runs the command:
echo='() { /bin/echo bar; }' bash
under sudo. If you have all-command sudo privileges, you can indeed run
whatever you want via sudo, including commands that set various
interesting environment variables. :)
sudo should stop you from doing things like this unless you've explicitly
told sudo to allow the client to set any environment variable.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87a95np1zi....@hope.eyrie.org
