2 * Copyright (c) 2000-2004 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * Sponsored in part by the Defense Advanced Research Projects
17 * Agency (DARPA) and Air Force Research Laboratory, Air Force
18 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 #include <sys/types.h>
24 #include <sys/param.h>
34 #endif /* STDC_HEADERS */
38 # ifdef HAVE_STRINGS_H
41 #endif /* HAVE_STRING_H */
44 #endif /* HAVE_UNISTD_H */
48 # include "emul/err.h"
49 #endif /* HAVE_ERR_H */
55 static const char rcsid[] = "$Sudo: env.c,v 1.42 2004/09/08 15:57:49 millert Exp $";
59 * Flags used in rebuild_env()
68 #define DID_SHELL 0x08
70 #define DID_LOGNAME 0x10
75 #define VNULL (VOID *)NULL
80 char **rebuild_env __P((char **, int, int));
81 char **zero_env __P((char **));
82 static void insert_env __P((char *, int));
83 static char *format_env __P((char *, ...));
86 * Default table of "bad" variables to remove from the environment.
87 * XXX - how to omit TERMCAP if it starts with '/'?
89 static const char *initial_badenv_table[] = {
114 #endif /* HAVE_KERB4 */
117 #endif /* HAVE_KERB5 */
122 #endif /* HAVE_SECURID */
126 "TERMCAP", /* XXX - only if it starts with '/' */
133 * Default table of variables to check for '%' and '/' characters.
135 static const char *initial_checkenv_table[] = {
143 static char **new_environ; /* Modified copy of the environment */
144 static size_t env_size; /* size of new_environ in char **'s */
145 static size_t env_len; /* number of slots used, not counting NULL */
148 * Zero out environment and replace with a minimal set of KRB5CCNAME
149 * USER, LOGNAME, HOME, TZ, PATH (XXX - should just set path to default)
150 * May set user_path, user_shell, and/or user_prompt as side effects.
156 static char *newenv[9];
157 char **ep, **nep = newenv;
158 char **ne_last = &newenv[(sizeof(newenv) / sizeof(newenv[0])) - 1];
159 extern char *prev_user;
161 for (ep = envp; *ep; ep++) {
164 if (strncmp("HOME=", *ep, 5) == 0)
168 if (strncmp("KRB5CCNAME=", *ep, 11) == 0)
172 if (strncmp("LOGNAME=", *ep, 8) == 0)
176 if (strncmp("PATH=", *ep, 5) == 0) {
178 /* XXX - set to sane default instead of user's? */
183 if (strncmp("SHELL=", *ep, 6) == 0)
184 user_shell = *ep + 6;
185 else if (!user_prompt && strncmp("SUDO_PROMPT=", *ep, 12) == 0)
186 user_prompt = *ep + 12;
187 else if (strncmp("SUDO_USER=", *ep, 10) == 0)
188 prev_user = *ep + 10;
191 if (strncmp("TZ=", *ep, 3) == 0)
195 if (strncmp("USER=", *ep, 5) == 0)
202 /* Deal with multiply defined variables (take first instance) */
203 for (nep = newenv; *nep; nep++) {
211 errx(1, "internal error, attempt to write outside newenv");
217 * Prevent OpenLDAP from reading any user dotfiles
218 * or files in the current directory.
222 *nep++ = "LDAPNOINIT=1";
224 errx(1, "internal error, attempt to write outside newenv");
231 * Given a variable and value, allocate and format an environment string.
235 format_env(char *var, ...)
237 format_env(var, va_alist)
252 esize = strlen(var) + 2;
253 while ((val = va_arg(ap, char *)) != NULL)
254 esize += strlen(val);
256 estring = (char *) emalloc(esize);
258 /* Store variable name and the '=' separator. */
259 if (strlcpy(estring, var, esize) >= esize ||
260 strlcat(estring, "=", esize) >= esize) {
262 errx(1, "internal error, format_env() overflow");
265 /* Now store the variable's value (if any) */
271 while ((val = va_arg(ap, char *)) != NULL) {
272 if (strlcat(estring, val, esize) >= esize)
273 errx(1, "internal error, format_env() overflow");
281 * Insert str into new_environ, assumes str has an '=' in it.
282 * NOTE: no other routines may modify new_environ, env_size, or env_len.
285 insert_env(str, dupcheck)
292 /* Make sure there is room for the new entry plus a NULL. */
293 if (env_len + 2 > env_size) {
295 new_environ = erealloc3(new_environ, env_size, sizeof(char *));
299 varlen = (strchr(str, '=') - str) + 1;
301 for (nep = new_environ; *nep; nep++) {
302 if (strncmp(str, *nep, varlen) == 0) {
308 nep = &new_environ[env_len];
316 * Build a new environment and ether clear potentially dangerous
317 * variables from the old one or start with a clean slate.
318 * Also adds sudo-specific variables (SUDO_*).
321 rebuild_env(envp, sudo_mode, noexec)
326 char **ep, *cp, *ps1;
327 int okvar, iswild, didvar;
329 struct list_member *cur;
332 * Either clean out the environment or reset to a safe default.
339 /* Pull in vars we want to keep from the old environment. */
340 for (ep = envp; *ep; ep++) {
343 /* Skip variables with values beginning with () (bash functions) */
344 if ((cp = strchr(*ep, '=')) != NULL) {
345 if (strncmp(cp, "=() ", 3) == 0)
349 for (cur = def_env_keep; cur; cur = cur->next) {
350 len = strlen(cur->value);
351 /* Deal with '*' wildcard */
352 if (cur->value[len - 1] == '*') {
357 if (strncmp(cur->value, *ep, len) == 0 &&
358 (iswild || (*ep)[len] == '=')) {
359 /* We always preserve TERM, no special treatment needed. */
360 if (strncmp(*ep, "TERM=", 5) != 0)
366 /* For SUDO_PS1 -> PS1 conversion. */
367 if (strncmp(*ep, "SUDO_PS1=", 8) == 0)
371 /* Preserve variable. */
374 if (strncmp(*ep, "HOME=", 5) == 0)
375 SET(didvar, DID_HOME);
378 if (strncmp(*ep, "SHELL=", 6) == 0)
379 SET(didvar, DID_SHELL);
382 if (strncmp(*ep, "LOGNAME=", 8) == 0)
383 SET(didvar, DID_LOGNAME);
386 if (strncmp(*ep, "USER=", 5) == 0)
387 SET(didvar, DID_USER);
392 /* Preserve TERM and PATH, ignore anything else. */
393 if (!ISSET(didvar, DID_TERM) && strncmp(*ep, "TERM=", 5) == 0) {
395 SET(didvar, DID_TERM);
396 } else if (!ISSET(didvar, DID_PATH) && strncmp(*ep, "PATH=", 5) == 0) {
398 SET(didvar, DID_PATH);
404 * Add in defaults. In -i mode these come from the runas user,
405 * otherwise they may be from the user's environment (depends
406 * on sudoers options).
408 if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
409 insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), 0);
410 insert_env(format_env("SHELL", runas_pw->pw_shell, VNULL), 0);
411 insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), 0);
412 insert_env(format_env("USER", runas_pw->pw_name, VNULL), 0);
414 if (!ISSET(didvar, DID_HOME))
415 insert_env(format_env("HOME", user_dir, VNULL), 0);
416 if (!ISSET(didvar, DID_SHELL))
417 insert_env(format_env("SHELL", sudo_user.pw->pw_shell, VNULL), 0);
418 if (!ISSET(didvar, DID_LOGNAME))
419 insert_env(format_env("LOGNAME", user_name, VNULL), 0);
420 if (!ISSET(didvar, DID_USER))
421 insert_env(format_env("USER", user_name, VNULL), 0);
425 * Copy envp entries as long as they don't match env_delete or
428 for (ep = envp; *ep; ep++) {
431 /* Skip variables with values beginning with () (bash functions) */
432 if ((cp = strchr(*ep, '=')) != NULL) {
433 if (strncmp(cp, "=() ", 3) == 0)
437 /* Skip anything listed in env_delete. */
439 for (cur = def_env_delete; cur && okvar; cur = cur->next) {
440 len = strlen(cur->value);
441 /* Deal with '*' wildcard */
442 if (cur->value[len - 1] == '*') {
447 if (strncmp(cur->value, *ep, len) == 0 &&
448 (iswild || (*ep)[len] == '=')) {
454 /* Check certain variables for '%' and '/' characters. */
455 for (cur = def_env_check; cur; cur = cur->next) {
456 len = strlen(cur->value);
457 /* Deal with '*' wildcard */
458 if (cur->value[len - 1] == '*') {
463 if (strncmp(cur->value, *ep, len) == 0 &&
464 (iswild || (*ep)[len] == '=') &&
465 strpbrk(*ep, "/%") == NULL) {
471 if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
473 else if (strncmp(*ep, "PATH=", 5) == 0)
474 SET(didvar, DID_PATH);
475 else if (strncmp(*ep, "TERM=", 5) == 0)
476 SET(didvar, DID_TERM);
481 /* Provide default values for $TERM and $PATH if they are not set. */
482 if (!ISSET(didvar, DID_TERM))
483 insert_env("TERM=unknown", 0);
484 if (!ISSET(didvar, DID_PATH))
485 insert_env(format_env("PATH", _PATH_DEFPATH, VNULL), 0);
488 /* Replace the PATH envariable with a secure one. */
489 insert_env(format_env("PATH", SECURE_PATH, VNULL), 1);
492 /* Set $USER and $LOGNAME to target if "set_logname" is true. */
493 if (def_set_logname && runas_pw->pw_name) {
494 insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), 1);
495 insert_env(format_env("USER", runas_pw->pw_name, VNULL), 1);
498 /* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */
499 if (ISSET(sudo_mode, MODE_RESET_HOME) && runas_pw->pw_dir)
500 insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), 1);
503 * Preload a noexec file? For a list of LD_PRELOAD-alikes, see
504 * http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html
505 * XXX - should prepend to original value, if any
507 if (noexec && def_noexec_file != NULL) {
508 #if defined(__darwin__) || defined(__APPLE__)
509 insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file, VNULL), 1);
510 insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), 1);
512 # if defined(__osf__) || defined(__sgi)
513 insert_env(format_env("_RLD_LIST", def_noexec_file, ":DEFAULT", VNULL), 1);
515 insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), 1);
520 /* Set PS1 if SUDO_PS1 is set. */
524 /* Add the SUDO_COMMAND envariable (cmnd + args). */
526 insert_env(format_env("SUDO_COMMAND", user_cmnd, " ", user_args, VNULL), 1);
528 insert_env(format_env("SUDO_COMMAND", user_cmnd, VNULL), 1);
530 /* Add the SUDO_USER, SUDO_UID, SUDO_GID environment variables. */
531 insert_env(format_env("SUDO_USER", user_name, VNULL), 1);
532 easprintf(&cp, "SUDO_UID=%lu", (unsigned long) user_uid);
534 easprintf(&cp, "SUDO_GID=%lu", (unsigned long) user_gid);
543 struct list_member *cur;
546 /* Fill in "env_delete" variable. */
547 for (p = initial_badenv_table; *p; p++) {
548 cur = emalloc(sizeof(struct list_member));
549 cur->value = estrdup(*p);
550 cur->next = def_env_delete;
551 def_env_delete = cur;
554 /* Fill in "env_check" variable. */
555 for (p = initial_checkenv_table; *p; p++) {
556 cur = emalloc(sizeof(struct list_member));
557 cur->value = estrdup(*p);
558 cur->next = def_env_check;