1 --- /home/bdale/Desktop/sudo-1.7.2p1/env.c 2009-06-23 12:24:42.000000000 -0600
2 +++ sudo/env.c 2009-11-20 07:31:58.000000000 -0700
4 static const char *initial_badenv_table[] = {
14 keepit = matches_env_keep(*ep);
16 + if (!strncmp (*ep, "DISPLAY=",8)
17 + || !strncmp (*ep, "XAUTHORITY=", 11)
18 + || !strncmp (*ep, "XAUTHORIZATION=", 15)
19 + || !strncmp (*ep, "XAPPLRESDIR=", 12)
20 + || !strncmp (*ep, "XFILESEARCHPATH=", 16)
21 + || !strncmp (*ep, "XUSERFILESEARCHPATH=", 20)
22 + || !strncmp (*ep, "LANG=", 5)
23 + || !strncmp (*ep, "LANGUAGE=", 9)
24 + || !strncmp (*ep, "LC_", 3))
27 /* For SUDO_PS1 -> PS1 conversion. */
28 if (strncmp(*ep, "SUDO_PS1=", 8) == 0)
30 --- tmp/sudoers.pod 2010-03-11 12:28:58.000000000 -0700
31 +++ sudo/sudoers.pod 2010-03-11 12:29:58.000000000 -0700
36 +Not effective due to security issues: only variables listed in
37 +I<env_keep> or I<env_check> can be passed through B<sudo>!
39 Environment variables to be removed from the user's environment
40 when the I<env_reset> option is not in effect. The argument may
41 be a double-quoted, space-separated list or a single value without
46 -Environment variables to be preserved in the user's environment
47 -when the I<env_reset> option is in effect. This allows fine-grained
48 +Environment variables to be preserved in the user's environment.
49 +This allows fine-grained
50 control over the environment B<sudo>-spawned processes will receive.
51 The argument may be a double-quoted, space-separated list or a
52 single value without double-quotes. The list can be replaced, added
53 @@ -1280,8 +1283,14 @@
56 Below are example I<sudoers> entries. Admittedly, some of
57 -these are a bit contrived. First, we define our I<aliases>:
58 +these are a bit contrived. First, we allow a few environment
59 +variables to pass and then define our I<aliases>:
61 + # Run X applications through sudo; HOME is used to find .Xauthority file
62 + # Note that some programs may use HOME for other purposes too and
63 + # this may lead to privilege escalation!
64 + Defaults env_keep = "DISPLAY HOME"
66 # User alias specification
67 User_Alias FULLTIMERS = millert, mikef, dowdy
68 User_Alias PARTTIMERS = bostley, jwfox, crawl
69 --- /home/bdale/Desktop/sudo-1.7.2p1/sudo.pod 2009-06-15 15:19:47.000000000 -0600
70 +++ sudo/sudo.pod 2009-11-20 07:31:58.000000000 -0700
72 To prevent command spoofing, B<sudo> checks "." and "" (both denoting
73 current directory) last when searching for a command in the user's
74 PATH (if one or both are in the PATH). Note, however, that the
75 -actual C<PATH> environment variable is I<not> modified and is passed
76 -unchanged to the program that B<sudo> executes.
77 +C<PATH> environment variable is further modified in Debian because of
78 +the use of the I<SECURE_PATH> build option.
80 B<sudo> will check the ownership of its timestamp directory
81 (F<@timedir@> by default) and ignore the directory's contents if