Freek Dijkstra wrote:
The correct action in this case, IMHO, should have been to apply the
patch (of course!), but also add a postinst script, which gives a BIG
warning telling people that they need to change /etc/sudoers
The postinst script by kernel-image-* packages are examples of how it
should have done. I sincerely hope that we will shortly see a
sudo_1.6.8p7-1.4 which has such a warning.
I also recommend to that a look at bug #349129:
"The new behaviour regarding env sanitising is not reflected in the
sudoers or the sudo manpages and there is no news.debian file in the
sarge package; one must read the security announcement very precisely
to find out how to deal with the change."
You definitely have to credit Alexander who wrote this report.
Like him, I wonder why the security team did not just add the following
entry to /etc/sudoers:
Defaults = env_reset
I am also surprised that the security team choose to allow other
environment variables by default. The fix limits the variables to LC_*,
LANG, LANGUAGE and TERM. env_reset, on the other hand limits the
variables to HOME, LOGNAME, PATH, SHELL, TERM, and USER.
There is some discussion with bug #342948, but don't see a compelling
reason why to change the list so dramatically in a stable environment.
(Note: I fully acknowledge that a white list is much more sensible then
the blacklist of PERLLIB, PERL5LIB, PERL5OPT, PS4, and SHELLOPTS, as the
upstream fix uses [see http://www.sudo.ws/sudo/alerts/]).
My recommend action is to alter the /etc/sudoers file in the following way:
1. Uncomment any existing "Defaults" line
2. Add the line "Defaults env_reset"
3. Add a few lines with common examples how to change the settings to
allow users to add additional variable, so they can fix it for now
(apparently) broken packages like synaptic.
Alternatively, if a Defaults line already exists, you can keep it as it
is, and outcomment the new "Defaults" line.
Here is the full text I propose to include in /etc/sudoers:
- ---
# To prevent users with limited sudo access to execute arbitrary code
# environment variables are reset by default.
# (see Debian Security Advisory 946 for details.)
# For a explanation of env_reset, env_delete and env_keep,
# see the man page or http://www.sudo.ws/sudo/
# To allow additional environment variable, use env_keep. E.g.:
# Defaults env_reset, env_keep+="XAUTHORITY"
Defaults env_reset
- ---
I just tried writing a sed script to do this, but must admit my sed
knowledge is lacking. I apologize for not giving a proposal script.
Regards,
Freek
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]