The sudo command has the -E option that allows users to pass through all environment variables, although it's still subject to the security policy configuration. So, is the use of -E inherently unsafe? Can someone offer a specific example of how this could be misused?
Asked
Active
Viewed 51 times
1
sa___
- 131
- 1
-
Pardon me, if this looks like a duplicate. I had asked this question originally on stackoverflow and was asked to post it on serverfault and then to security.stackexchange. – sa___ Oct 18 '20 at 06:18
-
3This is right place to ask this kind of question but there are several question already which likely address yours: Shellshock plus sudo/su environment whitelist bypass - big problem?, Issues with preserving $HOME on sudo, What are some vulnerabilities of environment variables. – Steffen Ullrich Oct 18 '20 at 06:19
-
1LD_PRELOAD is a good example. – user253751 Oct 19 '20 at 10:09