[Bug 2019496] Re: Security implications of SUDO_ASKPASS

[Marc Deslauriers]

If an attacker can edit ~/.bashrc they can simply modify the path and
point to a malicious sudo binary that does whatever it wants with the
password. I don't think this is a SUDO_ASKPASS issue.

If you disagree with our reasoning, it would be best to file this bug
with the upstream sudo project here:

https://bugzilla.sudo.ws/index.cgi

Once you file an upstream bug, please add a comment here with a link to
it. Thanks!

** Changed in: sudo (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2019496

Title:
  Security implications of SUDO_ASKPASS

Status in sudo package in Ubuntu:
  Incomplete

Bug description:
  All that is needed to subvert sudo is adding this line to ~/.bashrc

      alias sudo="SUDO_ASKPASS=/home/$USER/.config/git/doevil sudo -A"

  and a program that reads the password from the command line and makes
  use of it.

  Ignoring the SUDO_ASKPASS environment variable would be an option to
  stop this.

  Best regards

  Heinrich

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2019496/+subscriptions