The sudo command has the -E option that allows users to pass through all environment variables, although it's still subject to the security policy configuration. So, is the use of -E inherently unsafe? Can someone offer a specific example of how this could be misused?
Asked
Active
Viewed 46 times
1
sa___
- 131
- 1
-
Pardon me, if this looks like a duplicate. I had asked this question originally on stackoverflow and was asked to post it on serverfault and then to security.stackexchange. – sa___ Oct 18 '20 at 06:18
-
3This is right place to ask this kind of question but there are several question already which likely address yours: [Shellshock plus sudo/su environment whitelist bypass - big problem?](https://security.stackexchange.com/questions/68657), [Issues with preserving $HOME on sudo](https://security.stackexchange.com/questions/18369/), [What are some vulnerabilities of environment variables](https://security.stackexchange.com/questions/119962). – Steffen Ullrich Oct 18 '20 at 06:19
-
1LD_PRELOAD is a good example. – user253751 Oct 19 '20 at 10:09