OpenBSD Journal

Impending Sudo Changes

Contributed by dwc on from the make-me-a-sandwich dept.

Todd C. Miller (millert@) wrote to several lists to make the following announcement:

I have just committed sudo 1.6.9p1 to the OpenBSD tree.

The biggest change in 1.6.9p1 that will affect folks is the environment
handling.  Previously, sudo would pass the existing environment
through to the command to be run after pruning out some variables
that were potentially dangerous.  Unfortunately, "potentially
dangerous" is a more or less infinite set these days.  As a result,
the default in 1.6.9p1 is to reset the environment to a small default
with only certain variables preserved from the previous environment.

Read on for important details and configuration hints...

This is totally configurable in sudoers and there are several
ways to deal with it.

1) Change the default back to the way it was with a line like:
	Defaults !env_reset
   in sudoers.

2) Add the variables you need to have preserved to the env_keep
   list.  E.g.
	Defaults env_keep += "DESTDIR RELEASEDIR FLAVOR"

3) Use the SETENV tag on commands or the setenv Defaults options.
   E.g.
	%wheel ALL = (ALL) SETENV: ALL

   then use "sudo -E" when you need to preserve the environment or
   specify the variables on the command line using sudo:
	$ sudo DESTDIR=/home/dst RELEASEDIR=/home/rel make release

The default sudoers file will have a commented out entry for the
wheel group like #3.

I've been using sudo with the environment resetting myself for two
years now and several of the Linux distributions make this the
default as well so it shouldn't be a huge deal.

 - todd

(Comments are closed)


Comments
  1. By Anonymous Coward (74.14.137.225) on

    With the OpenBSD Foundation around now, will sudo be coming under that, or staying under Todd's eye. I always sorta wondered why it didn't just become like with OpenSSH.

    Comments
    1. By Chl (82.240.25.187) on

      > With the OpenBSD Foundation around now, will sudo be coming under that, or staying under Todd's eye. I always sorta wondered why it didn't just become like with OpenSSH.

      I think it's because this is sudo and not OpenSudo.

      Comments
      1. By Anonymous Coward (74.14.137.225) on

        > > With the OpenBSD Foundation around now, will sudo be coming under that, or staying under Todd's eye. I always sorta wondered why it didn't just become like with OpenSSH.
        >
        > I think it's because this is sudo and not OpenSudo.

        In a way it is actually, since no only is it developed by an OpenBSD developer, but it is an opened up version of sudo, which had previously been less liberal in terms.

        Comments
        1. By Anonymous Coward (128.171.90.200) on

          A brief history of sudo ...

          http://www.gratisoft.us/sudo/history.html

          Comments
          1. By Anonymous Coward (74.14.137.225) on

            > A brief history of sudo ...
            >
            > http://www.gratisoft.us/sudo/history.html

            And that corroborates my little blurb, it had been GPLed, but Todd de-GNUed it.

            Comments
            1. By Anonymous Coward (128.171.90.200) on

              I GNU'd my fingers together once, true story.

  2. By Anonymous Coward (140.226.197.139) on

    Regular Expressions Please!

  3. By Anonymous Coward (85.178.73.24) on

    Well I wish me MORE "pro" active security.
    Nomatter if it deals with data protection or "real" security.

    Does ustar has to disclosure System-Accounts?
    Does mkhybrid has to name itself and the commands used in the ISO Headers?

    In fact: No...
    So these sudo Changes are a step into the right direction

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]