Hacker News new | ask | show | jobs
by rob_c 363 days ago
NO, this is NOT environment variables.

It's the wrong argument to a tool, but the suid part has nothing to do with environment variables or cleaning the env up.

PLEASE STOP SPREADING FUD.
1 comments
Dylan16807 363 days ago
Relax, someone else already explained it without shouting.
link
rob_c 363 days ago
At the time they hadn't and I'm fed up of the jumping to conclusions that env vars are the cause of any security issue. This is blaming poor code from poor devs on expert features from UNIX all to often.

Worrying when said person has authored a widely used security product(!). This is a bad trend in the industry that needs to stop.

link
Dylan16807 363 days ago
> At the time they hadn't

Their comment was before yours.

link
rob_c 363 days ago
if that's the comment you mean, it also misses the point
link
Dylan16807 363 days ago
https://news.ycombinator.com/item?id=44355306

I'm talking about this comment. Are you talking about this comment? From what knowledge I have, it looks like a good explanation of the problem and why it's not an environment variable problem.

link
mkj 362 days ago
I'll say it again - environment variables or pam_env aren't expert features - they're primitive. They were a contributing factor in the first privilege escalation.
link
rob_c 362 days ago
Hardly, it's a minor coding bug to do with defaults.
link