- In all cases, environment variables with a value beginning
- with () are removed as they could be interpreted as b\bba\bas\bsh\bh
- functions. The list of environment variables that s\bsu\bud\bdo\bo
- allows or denies is contained in the output of sudo -V
- when run as root.
-
- Note that the dynamic linker on most operating systems
- will remove variables that can control dynamic linking
- from the environment of setuid executables, including
- s\bsu\bud\bdo\bo. Depending on the operating system this may include
- _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
- ers. These type of variables are removed from the envi
- ronment before s\bsu\bud\bdo\bo even begins execution and, as such, it
- is not possible for s\bsu\bud\bdo\bo to preserve them.
-
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both
- denoting current directory) last when searching for a com
- mand in the user's PATH (if one or both are in the PATH).
- Note, however, that the actual PATH environment variable
- is _\bn_\bo_\bt modified and is passed unchanged to the program
- that s\bsu\bud\bdo\bo executes.
-
- s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
- tents if it is not owned by root or if it is writable by a
- user other than root. On systems that allow non-root
- users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
- directory is located in a directory writable by anyone
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the
- timestamp directory before s\bsu\bud\bdo\bo is run. However, because
- s\bsu\bud\bdo\bo checks the ownership and mode of the directory and
- its contents, the only damage that can be done is to
- "hide" files by putting them in the timestamp dir. This
- is unlikely to happen since once the timestamp dir is
- owned by root and inaccessible by any other user, the user
- placing files there would be unable to get them back out.
- To get around this issue you can use a directory that is
- not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
- instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
- owner (root) and permissions (0700) in the system startup
- files.