+++ /dev/null
---- /home/bdale/Desktop/sudo-1.7.2p1/env.c 2009-06-23 12:24:42.000000000 -0600
-+++ sudo/env.c 2009-11-20 07:31:58.000000000 -0700
-@@ -120,6 +120,8 @@
- static const char *initial_badenv_table[] = {
- "IFS",
- "CDPATH",
-+ "SHELLOPTS",
-+ "PS4",
- "LOCALDOMAIN",
- "RES_OPTIONS",
- "HOSTALIASES",
-@@ -602,6 +604,17 @@
- if (keepit == -1)
- keepit = matches_env_keep(*ep);
-
-+ if (!strncmp (*ep, "DISPLAY=",8)
-+ || !strncmp (*ep, "XAUTHORITY=", 11)
-+ || !strncmp (*ep, "XAUTHORIZATION=", 15)
-+ || !strncmp (*ep, "XAPPLRESDIR=", 12)
-+ || !strncmp (*ep, "XFILESEARCHPATH=", 16)
-+ || !strncmp (*ep, "XUSERFILESEARCHPATH=", 20)
-+ || !strncmp (*ep, "LANG=", 5)
-+ || !strncmp (*ep, "LANGUAGE=", 9)
-+ || !strncmp (*ep, "LC_", 3))
-+ keepit = 1;
-+
- /* For SUDO_PS1 -> PS1 conversion. */
- if (strncmp(*ep, "SUDO_PS1=", 8) == 0)
- ps1 = *ep + 5;
---- tmp/sudoers.pod 2010-03-11 12:28:58.000000000 -0700
-+++ sudo/sudoers.pod 2010-03-11 12:29:58.000000000 -0700
-@@ -1227,6 +1227,9 @@
-
- =item env_delete
-
-+Not effective due to security issues: only variables listed in
-+I<env_keep> or I<env_check> can be passed through B<sudo>!
-+
- Environment variables to be removed from the user's environment
- when the I<env_reset> option is not in effect. The argument may
- be a double-quoted, space-separated list or a single value without
-@@ -1240,8 +1243,8 @@
-
- =item env_keep
-
--Environment variables to be preserved in the user's environment
--when the I<env_reset> option is in effect. This allows fine-grained
-+Environment variables to be preserved in the user's environment.
-+This allows fine-grained
- control over the environment B<sudo>-spawned processes will receive.
- The argument may be a double-quoted, space-separated list or a
- single value without double-quotes. The list can be replaced, added
---- a/sudo.pod
-+++ b/sudo.pod
-@@ -456,8 +456,8 @@ and, as such, it is not possible for B<sudo> to preserve them.
- To prevent command spoofing, B<sudo> checks "." and "" (both denoting
- current directory) last when searching for a command in the user's
- PATH (if one or both are in the PATH). Note, however, that the
--actual C<PATH> environment variable is I<not> modified and is passed
--unchanged to the program that B<sudo> executes.
-+C<PATH> environment variable is further modified in Debian because of
-+the use of the I<SECURE_PATH> build option.
-
- B<sudo> will check the ownership of its time stamp directory
- (F<@timedir@> by default) and ignore the directory's contents if
projects / debian / sudo / commitdiff