questions about pkexec
mattdm at mattdm.org
Fri Dec 11 09:54:54 PST 2009
On Fri, Dec 11, 2009 at 12:45:18PM -0500, David Zeuthen wrote:
> We could validate the contents of these environment variables - do you
> have any attack vectors in mind that people could abuse if we didn't? Do
> you know if su(1) and sudo(8) validates such variables?
Sudo does, in a rudimentary way. Anything in the env_check list is removed
if the value contains a % or a / character. The default list treated this
Additionally, the following variables are kept by default:
and others are generally added to the list in the sudoers config file
(DISPLAY, COLORS, TZ, and more).
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
More information about the polkit-devel