2 * Copyright (c) 2000-2004 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * Sponsored in part by the Defense Advanced Research Projects
17 * Agency (DARPA) and Air Force Research Laboratory, Air Force
18 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 #include <sys/types.h>
24 #include <sys/param.h>
34 #endif /* STDC_HEADERS */
38 # ifdef HAVE_STRINGS_H
41 #endif /* HAVE_STRING_H */
44 #endif /* HAVE_UNISTD_H */
48 # include "emul/err.h"
49 #endif /* HAVE_ERR_H */
55 static const char rcsid[] = "$Sudo: env.c,v 1.42 2004/09/08 15:57:49 millert Exp $";
59 * Flags used in rebuild_env()
68 #define DID_SHELL 0x08
70 #define DID_LOGNAME 0x10
75 #define VNULL (VOID *)NULL
80 char **rebuild_env __P((char **, int, int));
81 char **zero_env __P((char **));
82 static void insert_env __P((char *, int));
83 static char *format_env __P((char *, ...));
86 * Default table of "bad" variables to remove from the environment.
87 * XXX - how to omit TERMCAP if it starts with '/'?
89 static const char *initial_badenv_table[] = {
112 #endif /* HAVE_KERB4 */
115 #endif /* HAVE_KERB5 */
120 #endif /* HAVE_SECURID */
124 "TERMCAP", /* XXX - only if it starts with '/' */
137 * Default table of variables to check for '%' and '/' characters.
139 static const char *initial_checkenv_table[] = {
146 static char **new_environ; /* Modified copy of the environment */
147 static size_t env_size; /* size of new_environ in char **'s */
148 static size_t env_len; /* number of slots used, not counting NULL */
151 * Zero out environment and replace with a minimal set of KRB5CCNAME
152 * USER, LOGNAME, HOME, TZ, PATH (XXX - should just set path to default)
153 * May set user_path, user_shell, and/or user_prompt as side effects.
159 static char *newenv[9];
160 char **ep, **nep = newenv;
161 char **ne_last = &newenv[(sizeof(newenv) / sizeof(newenv[0])) - 1];
162 extern char *prev_user;
164 for (ep = envp; *ep; ep++) {
167 if (strncmp("HOME=", *ep, 5) == 0)
171 if (strncmp("KRB5CCNAME=", *ep, 11) == 0)
175 if (strncmp("LOGNAME=", *ep, 8) == 0)
179 if (strncmp("PATH=", *ep, 5) == 0) {
181 /* XXX - set to sane default instead of user's? */
186 if (strncmp("SHELL=", *ep, 6) == 0)
187 user_shell = *ep + 6;
188 else if (!user_prompt && strncmp("SUDO_PROMPT=", *ep, 12) == 0)
189 user_prompt = *ep + 12;
190 else if (strncmp("SUDO_USER=", *ep, 10) == 0)
191 prev_user = *ep + 10;
194 if (strncmp("TZ=", *ep, 3) == 0)
198 if (strncmp("USER=", *ep, 5) == 0)
205 /* Deal with multiply defined variables (take first instance) */
206 for (nep = newenv; *nep; nep++) {
214 errx(1, "internal error, attempt to write outside newenv");
220 * Prevent OpenLDAP from reading any user dotfiles
221 * or files in the current directory.
225 *nep++ = "LDAPNOINIT=1";
227 errx(1, "internal error, attempt to write outside newenv");
234 * Given a variable and value, allocate and format an environment string.
238 format_env(char *var, ...)
240 format_env(var, va_alist)
255 esize = strlen(var) + 2;
256 while ((val = va_arg(ap, char *)) != NULL)
257 esize += strlen(val);
259 estring = (char *) emalloc(esize);
261 /* Store variable name and the '=' separator. */
262 if (strlcpy(estring, var, esize) >= esize ||
263 strlcat(estring, "=", esize) >= esize) {
265 errx(1, "internal error, format_env() overflow");
268 /* Now store the variable's value (if any) */
274 while ((val = va_arg(ap, char *)) != NULL) {
275 if (strlcat(estring, val, esize) >= esize)
276 errx(1, "internal error, format_env() overflow");
284 * Insert str into new_environ, assumes str has an '=' in it.
285 * NOTE: no other routines may modify new_environ, env_size, or env_len.
288 insert_env(str, dupcheck)
295 /* Make sure there is room for the new entry plus a NULL. */
296 if (env_len + 2 > env_size) {
298 new_environ = erealloc3(new_environ, env_size, sizeof(char *));
302 varlen = (strchr(str, '=') - str) + 1;
304 for (nep = new_environ; *nep; nep++) {
305 if (strncmp(str, *nep, varlen) == 0) {
311 nep = &new_environ[env_len];
319 * Build a new environment and ether clear potentially dangerous
320 * variables from the old one or start with a clean slate.
321 * Also adds sudo-specific variables (SUDO_*).
324 rebuild_env(envp, sudo_mode, noexec)
329 char **ep, *cp, *ps1;
330 int okvar, iswild, didvar;
332 struct list_member *cur;
335 * Either clean out the environment or reset to a safe default.
342 /* Pull in vars we want to keep from the old environment. */
343 for (ep = envp; *ep; ep++) {
346 /* Skip variables with values beginning with () (bash functions) */
347 if ((cp = strchr(*ep, '=')) != NULL) {
348 if (strncmp(cp, "=() ", 3) == 0)
352 for (cur = def_env_keep; cur; cur = cur->next) {
353 len = strlen(cur->value);
354 /* Deal with '*' wildcard */
355 if (cur->value[len - 1] == '*') {
360 if (strncmp(cur->value, *ep, len) == 0 &&
361 (iswild || (*ep)[len] == '=')) {
362 /* We always preserve TERM, no special treatment needed. */
363 if (strncmp(*ep, "TERM=", 5) != 0)
369 /* For SUDO_PS1 -> PS1 conversion. */
370 if (strncmp(*ep, "SUDO_PS1=", 8) == 0)
374 /* Preserve variable. */
377 if (strncmp(*ep, "HOME=", 5) == 0)
378 SET(didvar, DID_HOME);
381 if (strncmp(*ep, "SHELL=", 6) == 0)
382 SET(didvar, DID_SHELL);
385 if (strncmp(*ep, "LOGNAME=", 8) == 0)
386 SET(didvar, DID_LOGNAME);
389 if (strncmp(*ep, "USER=", 5) == 0)
390 SET(didvar, DID_USER);
395 /* Preserve TERM and PATH, ignore anything else. */
396 if (!ISSET(didvar, DID_TERM) && strncmp(*ep, "TERM=", 5) == 0) {
398 SET(didvar, DID_TERM);
399 } else if (!ISSET(didvar, DID_PATH) && strncmp(*ep, "PATH=", 5) == 0) {
401 SET(didvar, DID_PATH);
407 * Add in defaults. In -i mode these come from the runas user,
408 * otherwise they may be from the user's environment (depends
409 * on sudoers options).
411 if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
412 insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), 0);
413 insert_env(format_env("SHELL", runas_pw->pw_shell, VNULL), 0);
414 insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), 0);
415 insert_env(format_env("USER", runas_pw->pw_name, VNULL), 0);
417 if (!ISSET(didvar, DID_HOME))
418 insert_env(format_env("HOME", user_dir, VNULL), 0);
419 if (!ISSET(didvar, DID_SHELL))
420 insert_env(format_env("SHELL", sudo_user.pw->pw_shell, VNULL), 0);
421 if (!ISSET(didvar, DID_LOGNAME))
422 insert_env(format_env("LOGNAME", user_name, VNULL), 0);
423 if (!ISSET(didvar, DID_USER))
424 insert_env(format_env("USER", user_name, VNULL), 0);
428 * Copy envp entries as long as they don't match env_delete or
431 for (ep = envp; *ep; ep++) {
434 /* Skip variables with values beginning with () (bash functions) */
435 if ((cp = strchr(*ep, '=')) != NULL) {
436 if (strncmp(cp, "=() ", 3) == 0)
440 /* Skip anything listed in env_delete. */
441 for (cur = def_env_delete; cur && okvar; cur = cur->next) {
442 len = strlen(cur->value);
443 /* Deal with '*' wildcard */
444 if (cur->value[len - 1] == '*') {
449 if (strncmp(cur->value, *ep, len) == 0 &&
450 (iswild || (*ep)[len] == '=')) {
455 /* Check certain variables for '%' and '/' characters. */
456 for (cur = def_env_check; cur && okvar; cur = cur->next) {
457 len = strlen(cur->value);
458 /* Deal with '*' wildcard */
459 if (cur->value[len - 1] == '*') {
464 if (strncmp(cur->value, *ep, len) == 0 &&
465 (iswild || (*ep)[len] == '=') &&
466 strpbrk(*ep, "/%")) {
472 if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
474 else if (strncmp(*ep, "PATH=", 5) == 0)
475 SET(didvar, DID_PATH);
476 else if (strncmp(*ep, "TERM=", 5) == 0)
477 SET(didvar, DID_TERM);
482 /* Provide default values for $TERM and $PATH if they are not set. */
483 if (!ISSET(didvar, DID_TERM))
484 insert_env("TERM=unknown", 0);
485 if (!ISSET(didvar, DID_PATH))
486 insert_env(format_env("PATH", _PATH_DEFPATH, VNULL), 0);
489 /* Replace the PATH envariable with a secure one. */
490 insert_env(format_env("PATH", SECURE_PATH, VNULL), 1);
493 /* Set $USER and $LOGNAME to target if "set_logname" is true. */
494 if (def_set_logname && runas_pw->pw_name) {
495 insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), 1);
496 insert_env(format_env("USER", runas_pw->pw_name, VNULL), 1);
499 /* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */
500 if (ISSET(sudo_mode, MODE_RESET_HOME) && runas_pw->pw_dir)
501 insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), 1);
504 * Preload a noexec file? For a list of LD_PRELOAD-alikes, see
505 * http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html
506 * XXX - should prepend to original value, if any
508 if (noexec && def_noexec_file != NULL) {
509 #if defined(__darwin__) || defined(__APPLE__)
510 insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file, VNULL), 1);
511 insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), 1);
513 # if defined(__osf__) || defined(__sgi)
514 insert_env(format_env("_RLD_LIST", def_noexec_file, ":DEFAULT", VNULL), 1);
516 insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), 1);
521 /* Set PS1 if SUDO_PS1 is set. */
525 /* Add the SUDO_COMMAND envariable (cmnd + args). */
527 insert_env(format_env("SUDO_COMMAND", user_cmnd, " ", user_args, VNULL), 1);
529 insert_env(format_env("SUDO_COMMAND", user_cmnd, VNULL), 1);
531 /* Add the SUDO_USER, SUDO_UID, SUDO_GID environment variables. */
532 insert_env(format_env("SUDO_USER", user_name, VNULL), 1);
533 easprintf(&cp, "SUDO_UID=%lu", (unsigned long) user_uid);
535 easprintf(&cp, "SUDO_GID=%lu", (unsigned long) user_gid);
544 struct list_member *cur;
547 /* Fill in "env_delete" variable. */
548 for (p = initial_badenv_table; *p; p++) {
549 cur = emalloc(sizeof(struct list_member));
550 cur->value = estrdup(*p);
551 cur->next = def_env_delete;
552 def_env_delete = cur;
555 /* Fill in "env_check" variable. */
556 for (p = initial_checkenv_table; *p; p++) {
557 cur = emalloc(sizeof(struct list_member));
558 cur->value = estrdup(*p);
559 cur->next = def_env_check;