current-users: Re: security issues with passing environment vars through su

Subject: Re: security issues with passing environment vars through su
To: NetBSD-current Discussion List <current-users@NetBSD.org>
From: Greywolf <greywolf@starwolf.com>
List: current-users
Date: 09/16/2003 12:17:35

Thus spake Greg A. Woods ("GAW> ") sometime Today...

GAW> >  That said, if there's a flag to alter
GAW> > the behaviour, great, but I personally find the typical non-BSD behaviour
GAW> > of 'su' to be completely out of line.  That, though, is the result of
GAW> > having been "born and raised" on BSD :-).]
GAW>
GAW> Well if you ever have the occasion to use a system I've configured, and
GAW> the privilege to be in the wheel group on that system, then you will not
GAW> be allowed to automatically pass your shell environment to your root
GAW> shell.  There will be no if's, and's, or but's about it -- it just will
GAW> not be permitted at all, ever, and any attempt to subvert this (or any
GAW> other) protective measure will result in immediate loss of access.  :-)

Cool.  I respect that as your decision.  You're in charge.  Just don't force
me to do to that to MY systems. :-)

GAW> No, ENV is a problem if it is set (at least so long as root's shell is
GAW> any shell which honours it, aka /bin/sh and /bin/ksh on base NetBSD).
GAW> Period.

...!  I'll be dipped in sh...aving cream.  I hadn't noticed that we
used ENV!  Well, then...

GAW> The same applies to $HOME if your root shell is of the C Shell variety.

Yes, I don't want $HOME inherited.  This is the one that really Really
REALLY irks me on sysV -- it *inherits* $HOME, whether you're using a
csh-alike or not.  This screws things up, since I would really like
~root/.cshrc to be sourced if root->pw_shell happens to be a csh.

[Ostensibly, I would like it if there were a default .cshrc-like thing
 for sh, since I don't want to HAVE to say . /root/.shrc (or whatever)...
 but that's minor.]

GAW> $PATH is right out too.

Fully reasonable.

GAW> $EDITOR and $VISUAL have similar risks as well.

GAW> $OLDPWD may even be risky, though that's one I'm still thinking about
GAW> because it could really help eliminate the only complaint I have with my
GAW> fix to "su".

I don't see any inherent risk in inheriting $OLDPWD...

For myself, though, I *do* like having ENV passed in; so please don't
propose changing that.

				--*greywolf;
--
NetBSD: the second best thing you can get for free.