Sometimes, I use a sudo command with -s options for keeping environment variables for users account(sudoer). I also know -s option runs the shell specified by the SHELL environment variable. But the SHELL environment variable can be manipulated by other users having the same privilege.
So, I think an adversary is able to abuse the changing SHELL environment variable for privilege escalation like a video below. (I assume the adversary owned the permission for executing a shell on a remote) https://youtu.be/JSQjIm7377o (unlisted state) I know it is uncertain when the sudo is executed with -s option by sudoer. Anyway, I have thought of the solutions to the issue below. - using a pkexec of a Policy kit, - disable a ptrace function via kernel.yama.ptrace_scope, CAP_SYS_PTRACE. Could you give some advice and comments? Thx.
