In message <9412060851.AA27261@al.mrc-lmb.cam.ac.uk> so spake Bonfield James (jkb): > Doug Hughes wrote: > > >If I recall correctly, (I could be wrong), was the original discussion > >about sudo? If so, why not statically link it? (I'm not discounting > >the importance of the LD_* problem). > > This is not the problem. For setuid programs the LD_* variables will be > ignored. This ought to be true on all systems (although a very early release > (BL10 I think) of DEC OSF/1 had this bug). The check is done by looking at > real and effective uids (and gids) to see whether they're the same. > > However the problem arises when the program sets the two uids to be the same > and then executes another program. In this case the LD_* problem will exist > again as the child process will pass the above test. This caused problems for > > sudo, login -p, su, lpr, sendmail (programs in .forward files) and probably > more. As I recall SunOS4.1.3 fixed this - presumably by removing the LD_* > variables when the test above fail, although I haven't checked this. Exactly. However, current versions of sudo remove LD_* (and equivalents on different OS's). The lastest sudo may always be found on ftp.cs.colorado.edu as /pub/sysadmin/utilities/cu-sudo*.Z. The current version is 1.3.1pl4, pl5 will be out as soon as I have time to clean up a few things. - todd