Bug#512803: Why is su preserving the environment?

[Steve Langasek]

On Sat, Jan 24, 2009 at 08:41:37AM +0100, Josselin Mouette wrote:

> it has been brought to my attention (through #512803) that su does not
> clean the environment at all. This has several security implications:
>       * variables like PERL5LIB or GTK_MODULES can be passed to another
>         user, leading to unwanted execution of code;
>       * variables like DBUS_SESSION_BUS_ADDRESS or XDG_SESSION_COOKIE
>         export authentication information that could be used to obtain
>         private information such as passwords in gnome-keyring.

> Before I work around this specific issue in the fugliest way, shouldn’t
> we prevent su from preserving the environment?

> There have been several security advisories related to sudo not cleaning
> the environment, and the final call has been to make env_reset the
> default. Is there any reason why su should not be considered vulnerable
> the same way?

Because su does not attempt to control what commands are being run; if you
can su to another user, you can run arbitrary commands as that user, which
means there's no sense in trying to filter the environment.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org