Main Sudo Page
A Short Introduction
Sudo News
Current Version
Beta Versions
A Brief History
Authors
Getting Sudo
Purchase Sudo
Download Sudo
AnonCVS
CVSweb
Mirroring Sudo
Documentation
README for Sudo
README for LDAP
Installation Notes
Supported Platforms
Troubleshooting FAQ
License
Changelog
Sudo Manual
Sudoers Manual
Visudo Manual
Other Documentation
Sudo Resources
Commercial Support
Web Site Mirrors
Mailing Lists
Sudo Security Alerts
Bug Tracking System
Sudo Tools
Similar Utilities
Other
Site Search
GratiSoft main page
Mktemp page
Newsyslog page
Todd's page
![[Powered by OpenBSD]](/images/openbsd_pb.gif){kind=small}
Summary:
A flaw in exists in sudo's environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands. The /bin/sh shell on most (if not all) Linux systems is bash.Sudo versions affected:
All versions prior to 1.6.8p2.Details:
When it starts up, bash searches the environment for variables with a value beginning with "()". For each environment variables that matches, a function with the same name as the corresponding variable is created (with the function body filled in from the environment variable's value).A malicious user with sudo access to a shell script that uses bash can use this feature to substitute arbitrary commands for any non-fully qualified programs called from the script.
Impact:
Exploitation of the bug requires that the bash shell be installed on the machine and that users be granted sudo access to run scripts written in bash. On most (if not all) Linux systems, /bin/sh is bash so /bin/sh scripts are affected by this as well.Wordaround:
The administrator can add a line to the sudoers file:Defaults env_resetthat will reset the environment to only contain the variables HOME, LOGNAME, PATH, SHELL, TERM, and USER, preventing this attack.
Fix:
The bug is fixed in sudo 1.6.8p2.Credit:
This problem was brought to my attention by Liam Helmer.Copyright © 2004 GratiSoft, Inc.