- In all cases, environment variables with a value beginning
- with () are removed as they could be interpreted as b\bba\bas\bsh\bh
- functions. The list of environment variables that s\bsu\bud\bdo\bo
- allows or denies is contained in the output of sudo -V
- when run as root.
-
- Note that the dynamic linker on most operating systems
- will remove variables that can control dynamic linking
- from the environment of setuid executables, including
- s\bsu\bud\bdo\bo. Depending on the operating system this may include
- _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth
- ers. These type of variables are removed from the envi
- ronment before s\bsu\bud\bdo\bo even begins execution and, as such, it
- is not possible for s\bsu\bud\bdo\bo to preserve them.
-
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both
- denoting current directory) last when searching for a com
- mand in the user's PATH (if one or both are in the PATH).
- Note, however, that the actual PATH environment variable
- is _\bn_\bo_\bt modified and is passed unchanged to the program
- that s\bsu\bud\bdo\bo executes.
-
- s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
- tents if it is not owned by root or if it is writable by a
- user other than root. On systems that allow non-root
- users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
- directory is located in a directory writable by anyone
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the
- timestamp directory before s\bsu\bud\bdo\bo is run. However, because
- s\bsu\bud\bdo\bo checks the ownership and mode of the directory and
- its contents, the only damage that can be done is to
- "hide" files by putting them in the timestamp dir. This
- is unlikely to happen since once the timestamp dir is
- owned by root and inaccessible by any other user, the user
- placing files there would be unable to get them back out.
- To get around this issue you can use a directory that is
- not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
- instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
- owner (root) and permissions (0700) in the system startup
- files.
-
- s\bsu\bud\bdo\bo will not honor timestamps set far in the future.
- Timestamps with a date greater than current_time + 2 *
- TIMEOUT will be ignored and sudo will log and complain.
- This is done to keep a user from creating his/her own
- timestamp with a bogus date on systems that allow users to
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of
+ setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
+ this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
+ others. These type of variables are removed from the environment
+ before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
+ s\bsu\bud\bdo\bo to preserve them.
+
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
+
+ s\bsu\bud\bdo\bo will check the ownership of its timestamp directory (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo
+ by default) and ignore the directory's contents if it is not owned by
+ root or if it is writable by a user other than root. On systems that
+ allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
+ directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
+ is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
+ run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the
+ directory and its contents, the only damage that can be done is to
+ "hide" files by putting them in the timestamp dir. This is unlikely to
+ happen since once the timestamp dir is owned by root and inaccessible
+ by any other user, the user placing files there would be unable to get
+ them back out. To get around this issue you can use a directory that
+ is not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance)
+ or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate owner (root) and
+ permissions (0700) in the system startup files.
+
+ s\bsu\bud\bdo\bo will not honor timestamps set far in the future. Timestamps with
+ a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
+ will log and complain. This is done to keep a user from creating
+ his/her own timestamp with a bogus date on systems that allow users to