On Sun, Nov 12, 2006 at 08:43:55AM -0600, Mike Doty wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Harald van Dijk wrote: > > On Sun, Nov 12, 2006 at 04:56:33AM -0500, Mike Frysinger wrote: > >> On 11/12/06, Harald van Dijk <[EMAIL PROTECTED]> wrote: > >>> On Sun, Nov 12, 2006 at 04:34:25AM -0500, Mike Frysinger wrote: > >>>> On 11/12/06, Peter Volkov (pva) <[EMAIL PROTECTED]> wrote: > >>>>> The possible solution is to add virtual/editor ebuild > >>>> this is a horrible idea > >>>> > >>>> why not modify sudo to not filter the EDITOR env var then there is no > >>>> more problem > >>> Except for a gaping security hole. > >> pulling a ciaranm here huh ? if a guy has access to `sudo`, then > >> having a modified environment isnt going to make much difference > > > > sudo can be configured to only allow access to a select few applications. > > Allowing arbitrary EDITOR settings completely bypasses this. > so force EDITOR to something "secure" (infra uses rvim)
rvim is less insecure than vim, but isn't secure if called as root, nor are most editors. If you can choose to edit other files than those specified on the command line, you can edit the boot scripts, and do anything after that. Anyway, if you have something safe (even if it's only /bin/false), forcing EDITOR to it would be good, but I do not believe sudo has an option for this. You can remove variables from the environment, but not add them. There is a special case for visudo, but that's not handled via the environment. And if there is no way to force EDITOR to something safe, unsetting it (the current situation) is the next best thing. > but really, > visudo, vipw, crontab.... these can all be exploited to gain root access > thus making it silly to try to prevent in these cases. Obviously you shouldn't allow access to such programs to users that are not completely trusted. This isn't about such programs. For example, in ufed, I used to read the PAGER variable (if you believe that is significantly different, please explain) to display the help. Since sudo clears it, ufed is usable even when it's not possible to display the help, and ufed can't do anything other than edit /etc/make.conf, it would be safe to allow it to run via sudo (emerge --ask should of course be used if ufed can be run, but that's a separate issue). That's the kind of thing that would no longer be safe. -- gentoo-dev@gentoo.org mailing list
