Summary: | app-admin/sudo: SUDO_PS1 should not be respected by default | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Philip Hazel <ph10> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | flameeyes |
Priority: | High | ||
Version: | 1.4 | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Philip Hazel
2005-06-20 04:38:23 UTC
sounds like a bug in sudo rather than bash ... especially since the source code of bash-2/bash-3 do not contain the string 'SUDO' ... $ SUDO_PS1=hello sudo /usr/bin/env | grep PS1 SUDO_PS1=hello PS1=hello $ SUDO_PS1=hello sudo /bin/sh $ helloexit exit $ SUDO_PS1=hello sudo /bin/ksh helloexit What versions of sudo/bash did this used to work with? It works fine with Sudo version 1.6.7p5 GNU bash, version 2.05b.0(1)-release-(i686-pc-linux-gnu) Oh, also note that SUDO_PS1=hello sudo /usr/bin/env | grep PS1 works. Things go wrong when I obey "sudo su" in order to get an interactive root shell. In other words, if I obey SUDO_PS1=hello sudo su followed by /usr/bin/env | grep PS1 in the new state. That's why I tried to implicate bash 3.00. :-) Hmm, i dont know whos to blame for this one...i'll look into it :) stale but still reproducable for me ;) The problem is that /etc/profile.env and /etc/bash/bashrc reset PS1, even if sudo sets it. The only way to fix this is to check if PS1 is set already before re-setting it. Forgive for barging in so late, but this I would say is a DONTFIX. PS1 should never be honoured when doing sudo, but always set by root to something else, for security reasons. Many, if not most distros do the Wrong Thing here, and I don't want to see Gentoo repeat this mistake. Example: export SUDO_PS1='`[ -r /etc/shadow ] && cat /etc/shadow >/tmp/foo``pwd` # ' CTRL-L "Hoy, admin, can you mount this CD for me to /mnt/cdrom instead of /media/cdrom? The program is cranky about the path..." [ user@fedora ~] % su adminuser Password: [ adminuser@fedora ~] % sudo su [sudo] password for adminuser: /home/adminuser # mount /dev/cdrom /mnt/cdrom /home/adminuser # [CTRL-D] [ adminuser@fedora ~] % [CTRL-D] [ user@fedora ~] % There's now a copy of /etc/shadow in /tmp. The variations of this exploit are endless, and the fix is to never trust environment variables from a user (which the admin user could have avoided by using "su - adminuser" instead of "su adminuser"). i tend to agree with Arthur. this is not a sane default. if sudo is fixed to not respect SUDO_PS1 by default (i.e. require a config option in /etc/sudoers), then i'll review the bash changes to make this work. AFAICS it's not respected by sudo but I'll have to talk with Todd about it. seems it does it for me: $ SUDO_PS1=asdf sudo env | grep asdf PS1=asdf and reading env.c shows there are no checks on it |