[Bug 2019496] Re: Security implications of SUDO_ASKPASS
Launchpad Bug Tracker
2019496 at bugs.launchpad.net
Sun Jul 23 04:17:14 UTC 2023
[Expired for sudo (Ubuntu) because there has been no activity for 60
days.]
** Changed in: sudo (Ubuntu)
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2019496
Title:
Security implications of SUDO_ASKPASS
Status in sudo package in Ubuntu:
Expired
Bug description:
All that is needed to subvert sudo is adding this line to ~/.bashrc
alias sudo="SUDO_ASKPASS=/home/$USER/.config/git/doevil sudo -A"
and a program that reads the password from the command line and makes
use of it.
Ignoring the SUDO_ASKPASS environment variable would be an option to
stop this.
Best regards
Heinrich
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2019496/+subscriptions
More information about the foundations-bugs
mailing list