X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=env.c;h=2be75d8ee60dc65e1d174e887de6043c63bd8552;hb=0b416d12e899a02a7cdec722c946400abbe9ad67;hp=668f42f04ae7b8b55057a69bc4ad8f3f0d45a45f;hpb=fdf5968800e73d9859c3dc5429956ea685b3ebd1;p=debian%2Fsudo diff --git a/env.c b/env.c index 668f42f..2be75d8 100644 --- a/env.c +++ b/env.c @@ -1,38 +1,25 @@ /* - * Copyright (c) 2000, 2001 Todd C. Miller - * All rights reserved. + * Copyright (c) 2000-2005, 2007-2010 + * Todd C. Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * 4. Products derived from this software may not be called "Sudo" nor - * may "Sudo" appear in their names without specific prior written - * permission from the author. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL - * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; - * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. */ -#include "config.h" +#include #include #include @@ -48,56 +35,87 @@ #endif /* STDC_HEADERS */ #ifdef HAVE_STRING_H # include -#else -# ifdef HAVE_STRINGS_H -# include -# endif #endif /* HAVE_STRING_H */ +#ifdef HAVE_STRINGS_H +# include +#endif /* HAVE_STRINGS_H */ #ifdef HAVE_UNISTD_H # include #endif /* HAVE_UNISTD_H */ -#include +#include #include +#include #include "sudo.h" -#ifndef lint -static const char rcsid[] = "$Sudo: env.c,v 1.16 2002/04/18 15:38:52 millert Exp $"; -#endif /* lint */ - /* - * Flags used in env_reset() + * Flags used in rebuild_env() */ #undef DID_TERM -#define DID_TERM 0x01 +#define DID_TERM 0x0001 #undef DID_PATH -#define DID_PATH 0x02 +#define DID_PATH 0x0002 #undef DID_HOME -#define DID_HOME 0x04 +#define DID_HOME 0x0004 #undef DID_SHELL -#define DID_SHELL 0x08 +#define DID_SHELL 0x0008 #undef DID_LOGNAME -#define DID_LOGNAME 0x10 -#undef DID_USER -#define DID_USER 0x12 +#define DID_LOGNAME 0x0010 +#undef DID_USER +#define DID_USER 0x0020 +#undef DID_USERNAME +#define DID_USERNAME 0x0040 +#undef DID_MAIL +#define DID_MAIL 0x0080 +#undef DID_MAX +#define DID_MAX 0x00ff + +#undef KEPT_TERM +#define KEPT_TERM 0x0100 +#undef KEPT_PATH +#define KEPT_PATH 0x0200 +#undef KEPT_HOME +#define KEPT_HOME 0x0400 +#undef KEPT_SHELL +#define KEPT_SHELL 0x0800 +#undef KEPT_LOGNAME +#define KEPT_LOGNAME 0x1000 +#undef KEPT_USER +#define KEPT_USER 0x2000 +#undef KEPT_USERNAME +#define KEPT_USERNAME 0x4000 +#undef KEPT_MAIL +#define KEPT_MAIL 0x8000 +#undef KEPT_MAX +#define KEPT_MAX 0xff00 + +struct environment { + char **envp; /* pointer to the new environment */ + size_t env_size; /* size of new_environ in char **'s */ + size_t env_len; /* number of slots used, not counting NULL */ + int owned; /* do we own envp or is it the system's? */ +}; /* * Prototypes */ -char **rebuild_env __P((int, char **)); -char **zero_env __P((char **)); -static void insert_env __P((char **, char *)); -static char *format_env __P((char *, char *)); +static void sudo_setenv __P((const char *, const char *, int)); +static void sudo_putenv __P((char *, int, int)); + +extern char **environ; /* global environment */ + +/* + * Copy of the sudo-managed environment. + */ +static struct environment env; /* * Default table of "bad" variables to remove from the environment. * XXX - how to omit TERMCAP if it starts with '/'? */ -char *initial_badenv_table[] = { +static const char *initial_badenv_table[] = { "IFS", "CDPATH", - "SHELLOPTS", - "PS4", "LOCALDOMAIN", "RES_OPTIONS", "HOSTALIASES", @@ -109,204 +127,516 @@ char *initial_badenv_table[] = { "SHLIB_PATH", #endif /* __hpux */ #ifdef _AIX + "LDR_*", "LIBPATH", -#endif /* _AIX */ + "AUTHSTATE", +#endif +#ifdef __APPLE__ + "DYLD_*", +#endif #ifdef HAVE_KERB4 "KRB_CONF*", - "KRBCONFDIR" + "KRBCONFDIR", "KRBTKFILE", #endif /* HAVE_KERB4 */ #ifdef HAVE_KERB5 "KRB5_CONFIG*", + "KRB5_KTNAME", #endif /* HAVE_KERB5 */ #ifdef HAVE_SECURID "VAR_ACE", "USR_ACE", "DLC_ACE", #endif /* HAVE_SECURID */ - "TERMINFO", - "TERMINFO_DIRS", - "TERMPATH", + "TERMINFO", /* terminfo, exclusive path to terminfo files */ + "TERMINFO_DIRS", /* terminfo, path(s) to terminfo files */ + "TERMPATH", /* termcap, path(s) to termcap files */ "TERMCAP", /* XXX - only if it starts with '/' */ - "ENV", - "BASH_ENV", + "ENV", /* ksh, file to source before script runs */ + "BASH_ENV", /* bash, file to source before script runs */ + "PS4", /* bash, prefix for lines in xtrace mode */ + "GLOBIGNORE", /* bash, globbing patterns to ignore */ + "SHELLOPTS", /* bash, extra command line options */ + "JAVA_TOOL_OPTIONS", /* java, extra command line options */ + "PERLIO_DEBUG ", /* perl, debugging output file */ + "PERLLIB", /* perl, search path for modules/includes */ + "PERL5LIB", /* perl 5, search path for modules/includes */ + "PERL5OPT", /* perl 5, extra command line options */ + "PERL5DB", /* perl 5, command used to load debugger */ + "FPATH", /* ksh, search path for functions */ + "NULLCMD", /* zsh, command for null file redirection */ + "READNULLCMD", /* zsh, command for null file redirection */ + "ZDOTDIR", /* zsh, search path for dot files */ + "TMPPREFIX", /* zsh, prefix for temporary files */ + "PYTHONHOME", /* python, module search path */ + "PYTHONPATH", /* python, search path */ + "PYTHONINSPECT", /* python, allow inspection */ + "PYTHONUSERBASE", /* python, per user site-packages directory */ + "RUBYLIB", /* ruby, library load path */ + "RUBYOPT", /* ruby, extra command line options */ NULL }; /* * Default table of variables to check for '%' and '/' characters. */ -char *initial_checkenv_table[] = { - "LC_*", +static const char *initial_checkenv_table[] = { + "COLORTERM", "LANG", "LANGUAGE", + "LC_*", + "LINGUAS", "TERM", NULL }; /* - * Zero out environment and replace with a minimal set of - * USER, LOGNAME, HOME, TZ, PATH (XXX - should just set path to default) - * May set user_path, user_shell, and/or user_prompt as side effects. + * Default table of variables to preserve in the environment. + */ +static const char *initial_keepenv_table[] = { + "COLORS", + "DISPLAY", + "HOSTNAME", + "KRB5CCNAME", + "LS_COLORS", + "PATH", + "PS1", + "PS2", + "TZ", + "XAUTHORITY", + "XAUTHORIZATION", + NULL +}; + +/* + * Initialize env based on envp. */ +void +env_init(lazy) + int lazy; +{ + char * const *ep; + size_t len; + + for (ep = environ; *ep != NULL; ep++) + continue; + len = (size_t)(ep - environ); + + if (lazy) { + /* + * If we are already initialized due to lazy init (usualy via getenv()) + * we need to avoid calling malloc() as it may call getenv() itself. + */ + env.envp = environ; + env.env_len = len; + env.env_size = len; + } else if (!env.owned) { + env.env_len = len; + env.env_size = len + 1 + 128; + env.envp = emalloc2(env.env_size, sizeof(char *)); +#ifdef ENV_DEBUG + memset(env.envp, 0, env.env_size * sizeof(char *)); +#endif + memcpy(env.envp, environ, len * sizeof(char *)); + env.envp[len] = '\0'; + env.owned = TRUE; + } +} + char ** -zero_env(envp) - char **envp; +env_get() { - char **ep, **nep; - static char *newenv[7]; - - for (ep = envp; *ep; ep++) { - switch (**ep) { - case 'H': - if (strncmp("HOME=", *ep, 5) == 0) - break; - continue; - case 'L': - if (strncmp("LOGNAME=", *ep, 8) == 0) - break; - continue; - case 'P': - if (strncmp("PATH=", *ep, 5) == 0) { - user_path = *ep + 5; - /* XXX - set to sane default instead of user's? */ - break; - } - continue; - case 'S': - if (strncmp("SHELL=", *ep, 6) == 0) - user_shell = *ep + 6; - else if (!user_prompt && !strncmp("SUDO_PROMPT=", *ep, 12)) - user_prompt = *ep + 12; - continue; - case 'T': - if (strncmp("TZ=", *ep, 3) == 0) - break; - continue; - case 'U': - if (strncmp("USER=", *ep, 5) == 0) - break; - continue; - default: - continue; - } + return env.envp; +} + +/* + * Similar to setenv(3) but operates on sudo's private copy of the environment + * (not environ) and it always overwrites. The dupcheck param determines + * whether we need to verify that the variable is not already set. + */ +static void +sudo_setenv(var, val, dupcheck) + const char *var; + const char *val; + int dupcheck; +{ + char *estring; + size_t esize; + + esize = strlen(var) + 1 + strlen(val) + 1; + estring = emalloc(esize); + + /* Build environment string and insert it. */ + if (strlcpy(estring, var, esize) >= esize || + strlcat(estring, "=", esize) >= esize || + strlcat(estring, val, esize) >= esize) { + + errorx(1, "internal error, sudo_setenv() overflow"); + } + sudo_putenv(estring, dupcheck, TRUE); +} + +/* + * Version of getenv(3) that uses our own environ pointer. + */ +char * +getenv(var) + const char *var; +{ + char *cp, **ev; + size_t vlen = strlen(var); - /* Deal with multiply defined variables (take first instance) */ - for (nep = newenv; *nep; nep++) { - if (**nep == **ep) - break; + if (env.envp == NULL) + env_init(TRUE); + + for (ev = env.envp; (cp = *ev) != NULL; ev++) { + if (strncmp(var, cp, vlen) == 0 && cp[vlen] == '=') + return cp + vlen + 1; + } + return NULL; +} + +/* + * Version of setenv(3) that uses our own environ pointer. + */ +int +setenv(var, val, overwrite) + const char *var; + const char *val; + int overwrite; +{ + char *estring, *ep; + const char *cp; + size_t esize; + + if (!var || *var == '\0') { + errno = EINVAL; + return(-1); + } + + if (env.envp == NULL) + env_init(TRUE); + + /* + * POSIX says a var name with '=' is an error but BSD + * just ignores the '=' and anything after it. + */ + for (cp = var; *cp && *cp != '='; cp++) + ; + esize = (size_t)(cp - var) + 2; + if (val) { + esize += strlen(val); /* glibc treats a NULL val as "" */ + } + + /* Allocate and fill in estring. */ + estring = ep = emalloc(esize); + for (cp = var; *cp && *cp != '='; cp++) + *ep++ = *cp; + *ep++ = '='; + if (val) { + for (cp = val; *cp; cp++) + *ep++ = *cp; + } + *ep = '\0'; + +#ifdef ENV_DEBUG + if (env.envp[env.env_len] != NULL) + errorx(1, "setenv: corrupted envp, len mismatch"); +#endif + sudo_putenv(estring, TRUE, overwrite); + return(0); +} + +/* + * Version of unsetenv(3) that uses our own environ pointer. + */ +#ifdef UNSETENV_VOID +void +#else +int +#endif +unsetenv(var) + const char *var; +{ + char **ep; + size_t len; + + if (var == NULL || *var == '\0' || strchr(var, '=') != NULL) { + errno = EINVAL; +#ifdef UNSETENV_VOID + return; +#else + return(-1); +#endif + } + + if (env.envp == NULL) + env_init(TRUE); + +#ifdef ENV_DEBUG + if (env.envp[env.env_len] != NULL) + errorx(1, "unsetenv: corrupted envp, len mismatch"); +#endif + + len = strlen(var); + for (ep = env.envp; *ep != NULL;) { + if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') { + /* Found it; shift remainder + NULL over by one. */ + char **cur = ep; + while ((*cur = *(cur + 1)) != NULL) + cur++; + /* Keep going, could be multiple instances of the var. */ + } else { + ep++; } - if (*nep == NULL) - *nep++ = *ep; } - return(&newenv[0]); + env.env_len = ep - env.envp; +#ifndef UNSETENV_VOID + return(0); +#endif } /* - * Given a variable and value, allocate and format an environment string. + * Version of putenv(3) that uses our own environ pointer. */ -static char * -format_env(var, val) - char *var; - char *val; +int +#ifdef PUTENV_CONST +putenv(const char *string) +#else +putenv(string) + char *string; +#endif { - char *estring, *p; - size_t varlen, vallen; - - varlen = strlen(var); - vallen = strlen(val); - p = estring = (char *) emalloc(varlen + vallen + 2); - strcpy(p, var); - p += varlen; - *p++ = '='; - strcpy(p, val); - - return(estring); + if (env.envp == NULL) + env_init(TRUE); + + if (strchr(string, '=') == NULL) { + errno = EINVAL; + return(-1); + } +#ifdef ENV_DEBUG + if (env.envp[env.env_len] != NULL) + errorx(1, "putenv: corrupted envp, len mismatch"); +#endif + sudo_putenv((char *)string, TRUE, TRUE); + return(0); } /* - * Insert str into envp. - * Assumes str has an '=' in it and does not check for available space! + * Similar to putenv(3) but operates on sudo's private copy of the + * environment (not environ) and it always overwrites. The dupcheck param + * determines whether we need to verify that the variable is not already set. + * Will only overwrite an existing variable if overwrite is set. */ static void -insert_env(envp, str) - char **envp; +sudo_putenv(str, dupcheck, overwrite) char *str; + int dupcheck; + int overwrite; { char **ep; - size_t varlen; + size_t len; + int found = FALSE; + + /* Make sure there is room for the new entry plus a NULL. */ + if (env.env_len + 2 > env.env_size) { + env.env_size += 128; + if (env.owned) { + env.envp = erealloc3(env.envp, env.env_size, sizeof(char *)); + } else { + /* We don't own env.envp, allocate a new one. */ + ep = emalloc2(env.env_size, sizeof(char *)); + memcpy(ep, env.envp, env.env_size * sizeof(char *)); + env.envp = ep; + env.owned = TRUE; + } +#ifdef ENV_DEBUG + memset(env.envp + env.env_len, 0, + (env.env_size - env.env_len) * sizeof(char *)); +#endif + } - varlen = (strchr(str, '=') - str) + 1; +#ifdef ENV_DEBUG + if (env.envp[env.env_len] != NULL) + errorx(1, "sudo_putenv: corrupted envp, len mismatch"); +#endif - for (ep = envp; *ep; ep++) { - if (strncmp(str, *ep, varlen) == 0) { - *ep = str; - break; + if (dupcheck) { + len = (strchr(str, '=') - str) + 1; + for (ep = env.envp; !found && *ep != NULL; ep++) { + if (strncmp(str, *ep, len) == 0) { + if (overwrite) + *ep = str; + found = TRUE; + } + } + /* Prune out duplicate variables. */ + if (found && overwrite) { + while (*ep != NULL) { + if (strncmp(str, *ep, len) == 0) { + char **cur = ep; + while ((*cur = *(cur + 1)) != NULL) + cur++; + } else { + ep++; + } + } + env.env_len = ep - env.envp; } } - if (*ep == NULL) { + + if (!found) { + ep = env.envp + env.env_len; + env.env_len++; *ep++ = str; *ep = NULL; } } +/* + * Check the env_delete blacklist. + * Returns TRUE if the variable was found, else false. + */ +static int +matches_env_delete(var) + const char *var; +{ + struct list_member *cur; + size_t len; + int iswild, match = FALSE; + + /* Skip anything listed in env_delete. */ + for (cur = def_env_delete; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { + len--; + iswild = TRUE; + } else + iswild = FALSE; + if (strncmp(cur->value, var, len) == 0 && + (iswild || var[len] == '=')) { + match = TRUE; + break; + } + } + return(match); +} + +/* + * Apply the env_check list. + * Returns TRUE if the variable is allowed, FALSE if denied + * or -1 if no match. + */ +static int +matches_env_check(var) + const char *var; +{ + struct list_member *cur; + size_t len; + int iswild, keepit = -1; + + for (cur = def_env_check; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { + len--; + iswild = TRUE; + } else + iswild = FALSE; + if (strncmp(cur->value, var, len) == 0 && + (iswild || var[len] == '=')) { + keepit = !strpbrk(var, "/%"); + break; + } + } + return(keepit); +} + +/* + * Check the env_keep list. + * Returns TRUE if the variable is allowed else FALSE. + */ +static int +matches_env_keep(var) + const char *var; +{ + struct list_member *cur; + size_t len; + int iswild, keepit = FALSE; + + for (cur = def_env_keep; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { + len--; + iswild = TRUE; + } else + iswild = FALSE; + if (strncmp(cur->value, var, len) == 0 && + (iswild || var[len] == '=')) { + keepit = TRUE; + break; + } + } + return(keepit); +} + /* * Build a new environment and ether clear potentially dangerous * variables from the old one or start with a clean slate. * Also adds sudo-specific variables (SUDO_*). */ -char ** -rebuild_env(sudo_mode, envp) - int sudo_mode; - char **envp; +void +rebuild_env(noexec) + int noexec; { - char **newenvp, **ep, **nep, *cp, *ps1; - int okvar, iswild, didvar; - size_t env_size, len; - struct list_member *cur; - - /* Count number of items in "env_keep" list (if any) */ - for (len = 0, cur = def_list(I_ENV_KEEP); cur; cur = cur->next) - len++; + char **old_envp, **ep, *cp, *ps1; + char idbuf[MAX_UID_T_LEN]; + unsigned int didvar; + int reset_home = FALSE; /* * Either clean out the environment or reset to a safe default. */ ps1 = NULL; didvar = 0; - if (def_flag(I_ENV_RESET)) { - int keepit; + env.env_len = 0; + env.env_size = 128; + old_envp = env.envp; + env.envp = emalloc2(env.env_size, sizeof(char *)); +#ifdef ENV_DEBUG + memset(env.envp, 0, env.env_size * sizeof(char *)); +#endif - /* Alloc space for new environment. */ - env_size = 32 + len; - nep = newenvp = (char **) emalloc(env_size * sizeof(char *)); + /* Reset HOME based on target user if configured to. */ + if (ISSET(sudo_mode, MODE_RUN)) { + if (def_always_set_home || + ISSET(sudo_mode, MODE_RESET_HOME | MODE_LOGIN_SHELL) || + (ISSET(sudo_mode, MODE_SHELL) && def_set_home)) + reset_home = TRUE; + } + if (def_env_reset || ISSET(sudo_mode, MODE_LOGIN_SHELL)) { /* Pull in vars we want to keep from the old environment. */ - for (ep = envp; *ep; ep++) { - keepit = 0; + for (ep = old_envp; *ep; ep++) { + int keepit; /* Skip variables with values beginning with () (bash functions) */ - if ((cp = strchr(*ep, '=')) != NULL && - strncmp(cp, "=() ", 3) == 0) - continue; - - for (cur = def_list(I_ENV_KEEP); cur; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ - if (cur->value[len - 1] == '*') { - len--; - iswild = 1; - } else - iswild = 0; - if (strncmp(cur->value, *ep, len) == 0 && - (iswild || (*ep)[len] == '=')) { - /* We always preserve TERM, no special treatment needed. */ - if (strncmp(*ep, "TERM=", 5) != 0) - keepit = 1; - break; - } + if ((cp = strchr(*ep, '=')) != NULL) { + if (strncmp(cp, "=() ", 3) == 0) + continue; } + /* + * First check certain variables for '%' and '/' characters. + * If no match there, check the keep list. + * If nothing matched, we remove it from the environment. + */ + keepit = matches_env_check(*ep); + if (keepit == -1) + keepit = matches_env_keep(*ep); + /* For SUDO_PS1 -> PS1 conversion. */ if (strncmp(*ep, "SUDO_PS1=", 8) == 0) ps1 = *ep + 5; @@ -316,189 +646,339 @@ rebuild_env(sudo_mode, envp) switch (**ep) { case 'H': if (strncmp(*ep, "HOME=", 5) == 0) - didvar |= DID_HOME; - break; - case 'S': - if (strncmp(*ep, "SHELL=", 6) == 0) - didvar |= DID_SHELL; - break; + SET(didvar, DID_HOME); + break; case 'L': if (strncmp(*ep, "LOGNAME=", 8) == 0) - didvar |= DID_LOGNAME; - break; + SET(didvar, DID_LOGNAME); + break; + case 'M': + if (strncmp(*ep, "MAIL=", 5) == 0) + SET(didvar, DID_MAIL); + break; + case 'P': + if (strncmp(*ep, "PATH=", 5) == 0) + SET(didvar, DID_PATH); + break; + case 'S': + if (strncmp(*ep, "SHELL=", 6) == 0) + SET(didvar, DID_SHELL); + break; + case 'T': + if (strncmp(*ep, "TERM=", 5) == 0) + SET(didvar, DID_TERM); + break; case 'U': if (strncmp(*ep, "USER=", 5) == 0) - didvar |= DID_USER; - break; - } - *nep++ = *ep; - } else { - /* Preserve TERM and PATH, ignore anything else. */ - if (!(didvar & DID_TERM) && !strncmp(*ep, "TERM=", 5)) { - *nep++ = *ep; - didvar |= DID_TERM; - } else if (!(didvar & DID_PATH) && !strncmp(*ep, "PATH=", 5)) { - *nep++ = *ep; - didvar |= DID_PATH; + SET(didvar, DID_USER); + if (strncmp(*ep, "USERNAME=", 5) == 0) + SET(didvar, DID_USERNAME); + break; } + sudo_putenv(*ep, FALSE, FALSE); } } + didvar |= didvar << 8; /* convert DID_* to KEPT_* */ /* - * Add in defaults unless they were preserved from the - * user's environment. + * Add in defaults. In -i mode these come from the runas user, + * otherwise they may be from the user's environment (depends + * on sudoers options). */ - if (!(didvar & DID_HOME)) - *nep++ = format_env("HOME", user_dir); - if (!(didvar & DID_SHELL)) - *nep++ = format_env("SHELL", sudo_user.pw->pw_shell); - if (!(didvar & DID_LOGNAME)) - *nep++ = format_env("LOGNAME", user_name); - if (!(didvar & DID_USER)) - *nep++ = format_env("USER", user_name); - } else { - /* Alloc space for new environment. */ - for (env_size = 16 + len, ep = envp; *ep; ep++, env_size++) - ; - nep = newenvp = (char **) emalloc(env_size * sizeof(char *)); + if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { + sudo_setenv("SHELL", runas_pw->pw_shell, ISSET(didvar, DID_SHELL)); + sudo_setenv("LOGNAME", runas_pw->pw_name, + ISSET(didvar, DID_LOGNAME)); + sudo_setenv("USER", runas_pw->pw_name, ISSET(didvar, DID_USER)); + sudo_setenv("USERNAME", runas_pw->pw_name, + ISSET(didvar, DID_USERNAME)); + } else { + if (!ISSET(didvar, DID_SHELL)) + sudo_setenv("SHELL", sudo_user.pw->pw_shell, FALSE); + if (!ISSET(didvar, DID_LOGNAME)) + sudo_setenv("LOGNAME", user_name, FALSE); + if (!ISSET(didvar, DID_USER)) + sudo_setenv("USER", user_name, FALSE); + if (!ISSET(didvar, DID_USERNAME)) + sudo_setenv("USERNAME", user_name, FALSE); + } + + /* If we didn't keep HOME, reset it based on target user. */ + if (!ISSET(didvar, KEPT_HOME)) + reset_home = TRUE; /* - * Copy envp entries as long as they don't match env_delete or + * Set MAIL to target user in -i mode or if MAIL is not preserved + * from user's environment. + */ + if (ISSET(sudo_mode, MODE_LOGIN_SHELL) || !ISSET(didvar, KEPT_MAIL)) { + cp = _PATH_MAILDIR; + if (cp[sizeof(_PATH_MAILDIR) - 2] == '/') + easprintf(&cp, "MAIL=%s%s", _PATH_MAILDIR, runas_pw->pw_name); + else + easprintf(&cp, "MAIL=%s/%s", _PATH_MAILDIR, runas_pw->pw_name); + sudo_putenv(cp, ISSET(didvar, DID_MAIL), TRUE); + } + } else { + /* + * Copy environ entries as long as they don't match env_delete or * env_check. */ - for (ep = envp; *ep; ep++) { - okvar = 0; + for (ep = old_envp; *ep; ep++) { + int okvar; /* Skip variables with values beginning with () (bash functions) */ - if ((cp = strchr(*ep, '=')) != NULL && - strncmp(cp, "=() ", 3) == 0) - continue; - - /* Skip anything listed in env_delete. */ -#if 0 - for (cur = def_list(I_ENV_DELETE); cur && okvar; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ - if (cur->value[len - 1] == '*') { - len--; - iswild = 1; - } else - iswild = 0; - if (strncmp(cur->value, *ep, len) == 0 && - (iswild || (*ep)[len] == '=')) { - okvar = 0; - } + if ((cp = strchr(*ep, '=')) != NULL) { + if (strncmp(cp, "=() ", 3) == 0) + continue; } -#endif - /* Check certain variables for '%' and '/' characters. */ - for (cur = def_list(I_ENV_CHECK); cur; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ - if (cur->value[len - 1] == '*') { - len--; - iswild = 1; - } else - iswild = 0; - if (strncmp(cur->value, *ep, len) == 0 && - (iswild || (*ep)[len] == '=') && - strpbrk(*ep, "/%") == NULL) { - okvar = 1; - } - } + /* + * First check variables against the blacklist in env_delete. + * If no match there check for '%' and '/' characters. + */ + okvar = matches_env_delete(*ep) != TRUE; + if (okvar) + okvar = matches_env_check(*ep) != FALSE; if (okvar) { if (strncmp(*ep, "SUDO_PS1=", 9) == 0) ps1 = *ep + 5; else if (strncmp(*ep, "PATH=", 5) == 0) - didvar |= DID_PATH; + SET(didvar, DID_PATH); else if (strncmp(*ep, "TERM=", 5) == 0) - didvar |= DID_TERM; - *nep++ = *ep; + SET(didvar, DID_TERM); + sudo_putenv(*ep, FALSE, FALSE); } } } + /* Replace the PATH envariable with a secure one? */ + if (def_secure_path && !user_is_exempt()) { + sudo_setenv("PATH", def_secure_path, TRUE); + SET(didvar, DID_PATH); + } + + /* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */ + if (def_set_logname && !ISSET(sudo_mode, MODE_LOGIN_SHELL)) { + if (!ISSET(didvar, KEPT_LOGNAME)) + sudo_setenv("LOGNAME", runas_pw->pw_name, TRUE); + if (!ISSET(didvar, KEPT_USER)) + sudo_setenv("USER", runas_pw->pw_name, TRUE); + if (!ISSET(didvar, KEPT_USERNAME)) + sudo_setenv("USERNAME", runas_pw->pw_name, TRUE); + } + + /* Set $HOME to target user if not preserving user's value. */ + if (reset_home) + sudo_setenv("HOME", runas_pw->pw_dir, TRUE); + /* Provide default values for $TERM and $PATH if they are not set. */ - if (!(didvar & DID_TERM)) - *nep++ = "TERM=unknown"; - if (!(didvar & DID_PATH)) - *nep++ = format_env("PATH", _PATH_DEFPATH); - *nep = NULL; + if (!ISSET(didvar, DID_TERM)) + sudo_putenv("TERM=unknown", FALSE, FALSE); + if (!ISSET(didvar, DID_PATH)) + sudo_setenv("PATH", _PATH_STDPATH, FALSE); /* - * At this point we must use insert_env() to modify newenvp. - * Access via 'nep' is not allowed (since we must check for dupes). + * Preload a noexec file? For a list of LD_PRELOAD-alikes, see + * http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html + * XXX - should prepend to original value, if any */ - -#ifdef SECURE_PATH - /* Replace the PATH envariable with a secure one. */ - insert_env(newenvp, format_env("PATH", SECURE_PATH)); -#endif - - /* Set $USER and $LOGNAME to target if "set_logname" is true. */ - if (def_flag(I_SET_LOGNAME) && runas_pw->pw_name) { - insert_env(newenvp, format_env("LOGNAME", runas_pw->pw_name)); - insert_env(newenvp, format_env("USER", runas_pw->pw_name)); + if (noexec && def_noexec_file != NULL) { +#if defined(__darwin__) || defined(__APPLE__) + sudo_setenv("DYLD_INSERT_LIBRARIES", def_noexec_file, TRUE); + sudo_setenv("DYLD_FORCE_FLAT_NAMESPACE", "", TRUE); +#else +# if defined(__osf__) || defined(__sgi) + easprintf(&cp, "%s:DEFAULT", def_noexec_file); + sudo_setenv("_RLD_LIST", cp, TRUE); + efree(cp); +# else +# ifdef _AIX + sudo_setenv("LDR_PRELOAD", def_noexec_file, TRUE); +# else + sudo_setenv("LD_PRELOAD", def_noexec_file, TRUE); +# endif /* _AIX */ +# endif /* __osf__ || __sgi */ +#endif /* __darwin__ || __APPLE__ */ } - /* Set $HOME for `sudo -H'. Only valid at PERM_RUNAS. */ - if ((sudo_mode & MODE_RESET_HOME) && runas_pw->pw_dir) - insert_env(newenvp, format_env("HOME", runas_pw->pw_dir)); - /* Set PS1 if SUDO_PS1 is set. */ - if (ps1) - insert_env(newenvp, ps1); + if (ps1 != NULL) + sudo_putenv(ps1, TRUE, TRUE); /* Add the SUDO_COMMAND envariable (cmnd + args). */ if (user_args) { - easprintf(&cp, "SUDO_COMMAND=%s %s", user_cmnd, user_args); - insert_env(newenvp, cp); - } else - insert_env(newenvp, format_env("SUDO_COMMAND", user_cmnd)); + easprintf(&cp, "%s %s", user_cmnd, user_args); + sudo_setenv("SUDO_COMMAND", cp, TRUE); + efree(cp); + } else { + sudo_setenv("SUDO_COMMAND", user_cmnd, TRUE); + } /* Add the SUDO_USER, SUDO_UID, SUDO_GID environment variables. */ - insert_env(newenvp, format_env("SUDO_USER", user_name)); - easprintf(&cp, "SUDO_UID=%ld", (long) user_uid); - insert_env(newenvp, cp); - easprintf(&cp, "SUDO_GID=%ld", (long) user_gid); - insert_env(newenvp, cp); - - return(newenvp); + sudo_setenv("SUDO_USER", user_name, TRUE); + snprintf(idbuf, sizeof(idbuf), "%lu", (unsigned long) user_uid); + sudo_setenv("SUDO_UID", idbuf, TRUE); + snprintf(idbuf, sizeof(idbuf), "%lu", (unsigned long) user_gid); + sudo_setenv("SUDO_GID", idbuf, TRUE); + + /* Free old environment. */ + efree(old_envp); } void -dump_badenv() +insert_env_vars(env_vars) + struct list_member *env_vars; { struct list_member *cur; - puts("Default table of environment variables to clear"); - for (cur = def_list(I_ENV_DELETE); cur; cur = cur->next) - printf("\t%s\n", cur->value); + /* Add user-specified environment variables. */ + for (cur = env_vars; cur != NULL; cur = cur->next) + putenv(cur->value); +} + +/* + * Validate the list of environment variables passed in on the command + * line against env_delete, env_check, and env_keep. + * Calls log_error() if any specified variables are not allowed. + */ +void +validate_env_vars(env_vars) + struct list_member *env_vars; +{ + struct list_member *var; + char *eq, *bad = NULL; + size_t len, blen = 0, bsize = 0; + int okvar; + + /* Add user-specified environment variables. */ + for (var = env_vars; var != NULL; var = var->next) { + if (def_secure_path && !user_is_exempt() && + strncmp(var->value, "PATH=", 5) == 0) { + okvar = FALSE; + } else if (def_env_reset) { + okvar = matches_env_check(var->value); + if (okvar == -1) + okvar = matches_env_keep(var->value); + } else { + okvar = matches_env_delete(var->value) == FALSE; + if (okvar == FALSE) + okvar = matches_env_check(var->value) != FALSE; + } + if (okvar == FALSE) { + /* Not allowed, add to error string, allocating as needed. */ + if ((eq = strchr(var->value, '=')) != NULL) + *eq = '\0'; + len = strlen(var->value) + 2; + if (blen + len >= bsize) { + do { + bsize += 1024; + } while (blen + len >= bsize); + bad = erealloc(bad, bsize); + bad[blen] = '\0'; + } + strlcat(bad, var->value, bsize); + strlcat(bad, ", ", bsize); + blen += len; + if (eq != NULL) + *eq = '='; + } + } + if (bad != NULL) { + bad[blen - 2] = '\0'; /* remove trailing ", " */ + log_error(NO_MAIL, + "sorry, you are not allowed to set the following environment variables: %s", bad); + /* NOTREACHED */ + efree(bad); + } +} + +/* + * Read in /etc/environment ala AIX and Linux. + * Lines may be in either of three formats: + * NAME=VALUE + * NAME="VALUE" + * NAME='VALUE' + * with an optional "export" prefix so the shell can source the file. + * Invalid lines, blank lines, or lines consisting solely of a comment + * character are skipped. + */ +void +read_env_file(path, overwrite) + const char *path; + int overwrite; +{ + FILE *fp; + char *cp, *var, *val; + size_t var_len, val_len; + + if ((fp = fopen(path, "r")) == NULL) + return; + + while ((var = sudo_parseln(fp)) != NULL) { + /* Skip blank or comment lines */ + if (*var == '\0') + continue; + + /* Skip optional "export " */ + if (strncmp(var, "export", 6) == 0 && isspace((unsigned char) var[6])) { + var += 7; + while (isspace((unsigned char) *var)) { + var++; + } + } + + /* Must be of the form name=["']value['"] */ + for (val = var; *val != '\0' && *val != '='; val++) + ; + if (var == val || *val != '=') + continue; + var_len = (size_t)(val - var); + val_len = strlen(++val); + + /* Strip leading and trailing single/double quotes */ + if ((val[0] == '\'' || val[0] == '\"') && val[0] == val[val_len - 1]) { + val[val_len - 1] = '\0'; + val++; + val_len -= 2; + } + + cp = emalloc(var_len + 1 + val_len + 1); + memcpy(cp, var, var_len + 1); /* includes '=' */ + memcpy(cp + var_len + 1, val, val_len + 1); /* includes NUL */ - puts("Default table of environment variables to sanity check"); - for (cur = def_list(I_ENV_CHECK); cur; cur = cur->next) - printf("\t%s\n", cur->value); + sudo_putenv(cp, TRUE, overwrite); + } + fclose(fp); } void init_envtables() { struct list_member *cur; - char **p; + const char **p; - /* Fill in "env_delete" variable. */ + /* Fill in the "env_delete" list. */ for (p = initial_badenv_table; *p; p++) { cur = emalloc(sizeof(struct list_member)); cur->value = estrdup(*p); - cur->next = def_list(I_ENV_DELETE); - def_list(I_ENV_DELETE) = cur; + cur->next = def_env_delete; + def_env_delete = cur; } - /* Fill in "env_check" variable. */ + /* Fill in the "env_check" list. */ for (p = initial_checkenv_table; *p; p++) { cur = emalloc(sizeof(struct list_member)); cur->value = estrdup(*p); - cur->next = def_list(I_ENV_CHECK); - def_list(I_ENV_CHECK) = cur; + cur->next = def_env_check; + def_env_check = cur; + } + + /* Fill in the "env_keep" list. */ + for (p = initial_keepenv_table; *p; p++) { + cur = emalloc(sizeof(struct list_member)); + cur->value = estrdup(*p); + cur->next = def_env_keep; + def_env_keep = cur; } }