Send As SMS

Thursday, April 06, 2006

sudo and Debian "stable"

One of my primary reasons for using Debian is the near-obsessive approach taken by the security team to never disrupt the operation of any existing software in the "stable" release. When security fixes appear upstream, rather than rolling the new version of the upstream package into stable, the particular vulnerability that has been fixed is assessed and, if it exists in stable, is backported to whatever version is present in stable. Not only does this limit the introduction of additional bugs into stable (the new upstream version that contains the fix is likely to contain some other new bugs), it means that APIs and behaviours remain completely unchanged. This makes for an extremely reliable platform.

Sometimes, however, the ball is dropped.

Recently it was observed that sudo was permitting unsanitised environment variables to pass through to the super-user environment in ways which might permit an intruder to gain a privilege escalation. It turns out that completely untangling this is essentially impossible, so a choice was made to not untangle it but to switch sudo to a "secure-by-default" strategy (and only pass a specified set of variables). This is, in general, a sound strategy which I heartily endorse. In this case, however, it changes sudo's behaviour even for uses which do not compromise security. Worse, the maintainers knew that this was the case. Worse still, the maintainers did not update the documentation to reflect the change (apart from an obscure reference to a "whitelist" in the changelog) and, for extra credit, did not include a debconf warning that the change would break any existing script that used environment variables, thereby silently breaking stuff.

To add injury to insult, the change appears to have been introduced in some rather broken way in that env_reset is on by default, but that if you want to use env_keep to retain some variables, you must explicitly set env_reset again. If you don't do this, env_keep directives are silently ignored. This can be worked around to some extent with env_check but if you're passing filepaths around (in fact, anything containing / or %), env_check doesn't pass them through.

So, to undo this "fix" completely, add this line to sudoers:
Defaults env_reset, env_keep=*
of course, if you've gotten this far, discovered the need to adjust your configuration and how to do so, you may as well take advantage of the new strategy:
Defaults env_reset, env_keep="VAR1 VAR2 VAR3"
(thanks to Alexander Zangerl for posting this solution to his snafu.)