[Bug 2019496] Re: Security implications of SUDO_ASKPASS
Seth Arnold
2019496 at bugs.launchpad.net
Thu May 18 02:12:01 UTC 2023
Hello Heinrich, I suspect once you can set aliases in shells used by
people with sudo privileges, the game is already over regardless of
environment variables used.
Is there something I'm missing where setting aliases in someone else's
shell is fine except for this variable?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2019496
Title:
Security implications of SUDO_ASKPASS
Status in sudo package in Ubuntu:
New
Bug description:
All that is needed to subvert sudo is adding this line to ~/.bashrc
alias sudo="SUDO_ASKPASS=/home/$USER/.config/git/doevil sudo -A"
and a program that reads the password from the command line and makes
use of it.
Ignoring the SUDO_ASKPASS environment variable would be an option to
stop this.
Best regards
Heinrich
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2019496/+subscriptions
More information about the foundations-bugs
mailing list