X-Git-Url: https://git.gag.com/?a=blobdiff_plain;ds=sidebyside;f=debian%2Fpatches%2Fenv.c-safety.diff;h=034dfdb59855a958b0f77700db8e44af193a84de;hb=0fba814a8aad49e5d9e1f480ae6f2a28ebec085c;hp=6a6467dca61dd79bd912f741ecd72995bafcad15;hpb=f96858dfa76bdecf85912bce766954e31b050def;p=debian%2Fsudo

diff --git a/debian/patches/env.c-safety.diff b/debian/patches/env.c-safety.diff
index 6a6467d..034dfdb 100644
--- a/debian/patches/env.c-safety.diff
+++ b/debian/patches/env.c-safety.diff
@@ -27,3 +27,39 @@
  	    /* For SUDO_PS1 -> PS1 conversion. */
  	    if (strncmp(*ep, "SUDO_PS1=", 8) == 0)
  		ps1 = *ep + 5;
+--- tmp/sudoers.pod	2010-03-11 12:28:58.000000000 -0700
++++ sudo/sudoers.pod	2010-03-11 12:29:58.000000000 -0700
+@@ -1227,6 +1227,9 @@
+ 
+ =item env_delete
+ 
++Not effective due to security issues: only variables listed in 
++I<env_keep> or I<env_check> can be passed through B<sudo>!
++
+ Environment variables to be removed from the user's environment
+ when the I<env_reset> option is not in effect.  The argument may
+ be a double-quoted, space-separated list or a single value without
+@@ -1240,8 +1243,8 @@
+ 
+ =item env_keep
+ 
+-Environment variables to be preserved in the user's environment
+-when the I<env_reset> option is in effect.  This allows fine-grained
++Environment variables to be preserved in the user's environment.
++This allows fine-grained
+ control over the environment B<sudo>-spawned processes will receive.
+ The argument may be a double-quoted, space-separated list or a
+ single value without double-quotes.  The list can be replaced, added
+--- a/sudo.pod
++++ b/sudo.pod
+@@ -456,8 +456,8 @@ and, as such, it is not possible for B<sudo> to preserve them.
+ To prevent command spoofing, B<sudo> checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's
+ PATH (if one or both are in the PATH).  Note, however, that the
+-actual C<PATH> environment variable is I<not> modified and is passed
+-unchanged to the program that B<sudo> executes.
++C<PATH> environment variable is further modified in Debian because of
++the use of the I<SECURE_PATH> build option.
+ 
+ B<sudo> will check the ownership of its time stamp directory
+ (F<@timedir@> by default) and ignore the directory's contents if