Hello Heinrich, I suspect once you can set aliases in shells used by people with sudo privileges, the game is already over regardless of environment variables used.
Is there something I'm missing where setting aliases in someone else's shell is fine except for this variable? Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/2019496 Title: Security implications of SUDO_ASKPASS Status in sudo package in Ubuntu: New Bug description: All that is needed to subvert sudo is adding this line to ~/.bashrc alias sudo="SUDO_ASKPASS=/home/$USER/.config/git/doevil sudo -A" and a program that reads the password from the command line and makes use of it. Ignoring the SUDO_ASKPASS environment variable would be an option to stop this. Best regards Heinrich To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2019496/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
