Sudo “secure path” feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the –with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the “secure path” restrictions.
