=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/sudo/Attic/env.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- src/usr.bin/sudo/Attic/env.c 2005/02/06 15:56:27 1.13 +++ src/usr.bin/sudo/Attic/env.c 2007/07/26 16:10:16 1.14 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2004 Todd C. Miller + * Copyright (c) 2000-2007 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,7 +18,7 @@ * Materiel Command, USAF, under agreement number F39502-99-1-0512. */ -#include "config.h" +#include #include #include @@ -52,37 +52,68 @@ #include "sudo.h" #ifndef lint -static const char rcsid[] = "$Sudo: env.c,v 1.42 2004/09/08 15:57:49 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: env.c,v 1.39.2.15 2007/07/09 19:15:43 millert Exp $"; #endif /* lint */ /* * Flags used in rebuild_env() */ #undef DID_TERM -#define DID_TERM 0x01 +#define DID_TERM 0x0001 #undef DID_PATH -#define DID_PATH 0x02 +#define DID_PATH 0x0002 #undef DID_HOME -#define DID_HOME 0x04 +#define DID_HOME 0x0004 #undef DID_SHELL -#define DID_SHELL 0x08 +#define DID_SHELL 0x0008 #undef DID_LOGNAME -#define DID_LOGNAME 0x10 +#define DID_LOGNAME 0x0010 #undef DID_USER -#define DID_USER 0x20 +#define DID_USER 0x0020 +#undef DID_USERNAME +#define DID_USERNAME 0x0040 +#undef DID_MAX +#define DID_MAX 0x00ff +#undef KEPT_TERM +#define KEPT_TERM 0x0100 +#undef KEPT_PATH +#define KEPT_PATH 0x0200 +#undef KEPT_HOME +#define KEPT_HOME 0x0400 +#undef KEPT_SHELL +#define KEPT_SHELL 0x0800 +#undef KEPT_LOGNAME +#define KEPT_LOGNAME 0x1000 +#undef KEPT_USER +#define KEPT_USER 0x2000 +#undef KEPT_USERNAME +#define KEPT_USERNAME 0x4000 +#undef KEPT_MAX +#define KEPT_MAX 0xff00 + #undef VNULL #define VNULL (VOID *)NULL +struct environment { + char **envp; /* pointer to the new environment */ + size_t env_size; /* size of new_environ in char **'s */ + size_t env_len; /* number of slots used, not counting NULL */ +}; + /* * Prototypes */ char **rebuild_env __P((char **, int, int)); -char **zero_env __P((char **)); -static void insert_env __P((char *, int)); +static void insert_env __P((char *, struct environment *, int)); static char *format_env __P((char *, ...)); /* + * Copy of the sudo-managed environment. + */ +static struct environment env; + +/* * Default table of "bad" variables to remove from the environment. * XXX - how to omit TERMCAP if it starts with '/'? */ @@ -100,8 +131,9 @@ "SHLIB_PATH", #endif /* __hpux */ #ifdef _AIX + "LDR_*", "LIBPATH", -#endif /* _AIX */ +#endif #ifdef __APPLE__ "DYLD_*", #endif @@ -112,18 +144,38 @@ #endif /* HAVE_KERB4 */ #ifdef HAVE_KERB5 "KRB5_CONFIG*", + "KRB5_KTNAME", #endif /* HAVE_KERB5 */ #ifdef HAVE_SECURID "VAR_ACE", "USR_ACE", "DLC_ACE", #endif /* HAVE_SECURID */ - "TERMINFO", - "TERMINFO_DIRS", - "TERMPATH", + "TERMINFO", /* terminfo, exclusive path to terminfo files */ + "TERMINFO_DIRS", /* terminfo, path(s) to terminfo files */ + "TERMPATH", /* termcap, path(s) to termcap files */ "TERMCAP", /* XXX - only if it starts with '/' */ - "ENV", - "BASH_ENV", + "ENV", /* ksh, file to source before script runs */ + "BASH_ENV", /* bash, file to source before script runs */ + "PS4", /* bash, prefix for lines in xtrace mode */ + "GLOBIGNORE", /* bash, globbing patterns to ignore */ + "SHELLOPTS", /* bash, extra command line options */ + "JAVA_TOOL_OPTIONS", /* java, extra command line options */ + "PERLIO_DEBUG ", /* perl, debugging output file */ + "PERLLIB", /* perl, search path for modules/includes */ + "PERL5LIB", /* perl 5, search path for modules/includes */ + "PERL5OPT", /* perl 5, extra command line options */ + "PERL5DB", /* perl 5, command used to load debugger */ + "FPATH", /* ksh, search path for functions */ + "NULLCMD", /* zsh, command for null file redirection */ + "READNULLCMD", /* zsh, command for null file redirection */ + "ZDOTDIR", /* zsh, search path for dot files */ + "TMPPREFIX", /* zsh, prefix for temporary files */ + "PYTHONHOME", /* python, module search path */ + "PYTHONPATH", /* python, search path */ + "PYTHONINSPEC", /* python, allow inspection */ + "RUBYLIB", /* ruby, library load path */ + "RUBYOPT", /* ruby, extra command line options */ NULL }; @@ -131,99 +183,34 @@ * Default table of variables to check for '%' and '/' characters. */ static const char *initial_checkenv_table[] = { - "LC_*", + "COLORTERM", "LANG", "LANGUAGE", + "LC_*", + "LINGUAS", + "TERM", NULL }; -static char **new_environ; /* Modified copy of the environment */ -static size_t env_size; /* size of new_environ in char **'s */ -static size_t env_len; /* number of slots used, not counting NULL */ - /* - * Zero out environment and replace with a minimal set of KRB5CCNAME - * USER, LOGNAME, HOME, TZ, PATH (XXX - should just set path to default) - * May set user_path, user_shell, and/or user_prompt as side effects. + * Default table of variables to preserve in the environment. */ -char ** -zero_env(envp) - char **envp; -{ - static char *newenv[9]; - char **ep, **nep = newenv; - char **ne_last = &newenv[(sizeof(newenv) / sizeof(newenv[0])) - 1]; - extern char *prev_user; +static const char *initial_keepenv_table[] = { + "COLORS", + "DISPLAY", + "HOSTNAME", + "KRB5CCNAME", + "LS_COLORS", + "MAIL", + "PATH", + "PS1", + "PS2", + "TZ", + "XAUTHORITY", + "XAUTHORIZATION", + NULL +}; - for (ep = envp; *ep; ep++) { - switch (**ep) { - case 'H': - if (strncmp("HOME=", *ep, 5) == 0) - break; - continue; - case 'K': - if (strncmp("KRB5CCNAME=", *ep, 11) == 0) - break; - continue; - case 'L': - if (strncmp("LOGNAME=", *ep, 8) == 0) - break; - continue; - case 'P': - if (strncmp("PATH=", *ep, 5) == 0) { - user_path = *ep + 5; - /* XXX - set to sane default instead of user's? */ - break; - } - continue; - case 'S': - if (strncmp("SHELL=", *ep, 6) == 0) - user_shell = *ep + 6; - else if (!user_prompt && strncmp("SUDO_PROMPT=", *ep, 12) == 0) - user_prompt = *ep + 12; - else if (strncmp("SUDO_USER=", *ep, 10) == 0) - prev_user = *ep + 10; - continue; - case 'T': - if (strncmp("TZ=", *ep, 3) == 0) - break; - continue; - case 'U': - if (strncmp("USER=", *ep, 5) == 0) - break; - continue; - default: - continue; - } - - /* Deal with multiply defined variables (take first instance) */ - for (nep = newenv; *nep; nep++) { - if (**nep == **ep) - break; - } - if (*nep == NULL) { - if (nep < ne_last) - *nep++ = *ep; - else - errx(1, "internal error, attempt to write outside newenv"); - } - } - -#ifdef HAVE_LDAP - /* - * Prevent OpenLDAP from reading any user dotfiles - * or files in the current directory. - * - */ - if (nep < ne_last) - *nep++ = "LDAPNOINIT=1"; - else - errx(1, "internal error, attempt to write outside newenv"); -#endif - - return(&newenv[0]); -} - /* * Given a variable and value, allocate and format an environment string. */ @@ -275,41 +262,130 @@ } /* - * Insert str into new_environ, assumes str has an '=' in it. - * NOTE: no other routines may modify new_environ, env_size, or env_len. + * Insert str into e->envp, assumes str has an '=' in it. */ static void -insert_env(str, dupcheck) +insert_env(str, e, dupcheck) char *str; + struct environment *e; int dupcheck; { char **nep; size_t varlen; /* Make sure there is room for the new entry plus a NULL. */ - if (env_len + 2 > env_size) { - env_size += 128; - new_environ = erealloc3(new_environ, env_size, sizeof(char *)); + if (e->env_len + 2 > e->env_size) { + e->env_size += 128; + e->envp = erealloc3(e->envp, e->env_size, sizeof(char *)); } if (dupcheck) { varlen = (strchr(str, '=') - str) + 1; - for (nep = new_environ; *nep; nep++) { + for (nep = e->envp; *nep; nep++) { if (strncmp(str, *nep, varlen) == 0) { *nep = str; return; } } } else - nep = &new_environ[env_len]; + nep = e->envp + e->env_len; - env_len++; + e->env_len++; *nep++ = str; *nep = NULL; } /* + * Check the env_delete blacklist. + * Returns TRUE if the variable was found, else false. + */ +static int +matches_env_delete(var) + const char *var; +{ + struct list_member *cur; + size_t len; + int iswild, match = FALSE; + + /* Skip anything listed in env_delete. */ + for (cur = def_env_delete; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { + len--; + iswild = TRUE; + } else + iswild = FALSE; + if (strncmp(cur->value, var, len) == 0 && + (iswild || var[len] == '=')) { + match = TRUE; + break; + } + } + return(match); +} + +/* + * Apply the env_check list. + * Returns TRUE if the variable is allowed, FALSE if denied + * or -1 if no match. + */ +static int +matches_env_check(var) + const char *var; +{ + struct list_member *cur; + size_t len; + int iswild, keepit = -1; + + for (cur = def_env_check; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { + len--; + iswild = TRUE; + } else + iswild = FALSE; + if (strncmp(cur->value, var, len) == 0 && + (iswild || var[len] == '=')) { + keepit = !strpbrk(var, "/%"); + break; + } + } + return(keepit); +} + +/* + * Check the env_keep list. + * Returns TRUE if the variable is allowed else FALSE. + */ +static int +matches_env_keep(var) + const char *var; +{ + struct list_member *cur; + size_t len; + int iswild, keepit = FALSE; + + for (cur = def_env_keep; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { + len--; + iswild = TRUE; + } else + iswild = FALSE; + if (strncmp(cur->value, var, len) == 0 && + (iswild || var[len] == '=')) { + keepit = TRUE; + break; + } + } + return(keepit); +} + +/* * Build a new environment and ether clear potentially dangerous * variables from the old one or start with a clean slate. * Also adds sudo-specific variables (SUDO_*). @@ -321,21 +397,18 @@ int noexec; { char **ep, *cp, *ps1; - int okvar, iswild, didvar; - size_t len; - struct list_member *cur; + unsigned int didvar; /* * Either clean out the environment or reset to a safe default. */ ps1 = NULL; didvar = 0; + memset(&env, 0, sizeof(env)); if (def_env_reset) { - int keepit; - /* Pull in vars we want to keep from the old environment. */ for (ep = envp; *ep; ep++) { - keepit = 0; + int keepit; /* Skip variables with values beginning with () (bash functions) */ if ((cp = strchr(*ep, '=')) != NULL) { @@ -343,22 +416,14 @@ continue; } - for (cur = def_env_keep; cur; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ - if (cur->value[len - 1] == '*') { - len--; - iswild = 1; - } else - iswild = 0; - if (strncmp(cur->value, *ep, len) == 0 && - (iswild || (*ep)[len] == '=')) { - /* We always preserve TERM, no special treatment needed. */ - if (strncmp(*ep, "TERM=", 5) != 0) - keepit = 1; - break; - } - } + /* + * First check certain variables for '%' and '/' characters. + * If no match there, check the keep list. + * If nothing matched, we remove it from the environment. + */ + keepit = matches_env_check(*ep); + if (keepit == -1) + keepit = matches_env_keep(*ep); /* For SUDO_PS1 -> PS1 conversion. */ if (strncmp(*ep, "SUDO_PS1=", 8) == 0) @@ -371,31 +436,33 @@ if (strncmp(*ep, "HOME=", 5) == 0) SET(didvar, DID_HOME); break; + case 'L': + if (strncmp(*ep, "LOGNAME=", 8) == 0) + SET(didvar, DID_LOGNAME); + break; + case 'P': + if (strncmp(*ep, "PATH=", 5) == 0) + SET(didvar, DID_PATH); + break; case 'S': if (strncmp(*ep, "SHELL=", 6) == 0) SET(didvar, DID_SHELL); break; - case 'L': - if (strncmp(*ep, "LOGNAME=", 8) == 0) - SET(didvar, DID_LOGNAME); + case 'T': + if (strncmp(*ep, "TERM=", 5) == 0) + SET(didvar, DID_TERM); break; case 'U': if (strncmp(*ep, "USER=", 5) == 0) SET(didvar, DID_USER); + if (strncmp(*ep, "USERNAME=", 5) == 0) + SET(didvar, DID_USERNAME); break; } - insert_env(*ep, 0); - } else { - /* Preserve TERM and PATH, ignore anything else. */ - if (!ISSET(didvar, DID_TERM) && strncmp(*ep, "TERM=", 5) == 0) { - insert_env(*ep, 0); - SET(didvar, DID_TERM); - } else if (!ISSET(didvar, DID_PATH) && strncmp(*ep, "PATH=", 5) == 0) { - insert_env(*ep, 0); - SET(didvar, DID_PATH); - } + insert_env(*ep, &env, 0); } } + didvar |= didvar << 8; /* convert DID_* to KEPT_* */ /* * Add in defaults. In -i mode these come from the runas user, @@ -403,19 +470,28 @@ * on sudoers options). */ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { - insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), 0); - insert_env(format_env("SHELL", runas_pw->pw_shell, VNULL), 0); - insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), 0); - insert_env(format_env("USER", runas_pw->pw_name, VNULL), 0); + insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), &env, + ISSET(didvar, DID_HOME)); + insert_env(format_env("SHELL", runas_pw->pw_shell, VNULL), &env, + ISSET(didvar, DID_SHELL)); + insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), &env, + ISSET(didvar, DID_LOGNAME)); + insert_env(format_env("USER", runas_pw->pw_name, VNULL), &env, + ISSET(didvar, DID_USER)); + insert_env(format_env("USERNAME", runas_pw->pw_name, VNULL), &env, + ISSET(didvar, DID_USERNAME)); } else { if (!ISSET(didvar, DID_HOME)) - insert_env(format_env("HOME", user_dir, VNULL), 0); + insert_env(format_env("HOME", user_dir, VNULL), &env, 0); if (!ISSET(didvar, DID_SHELL)) - insert_env(format_env("SHELL", sudo_user.pw->pw_shell, VNULL), 0); + insert_env(format_env("SHELL", sudo_user.pw->pw_shell, VNULL), + &env, 0); if (!ISSET(didvar, DID_LOGNAME)) - insert_env(format_env("LOGNAME", user_name, VNULL), 0); + insert_env(format_env("LOGNAME", user_name, VNULL), &env, 0); if (!ISSET(didvar, DID_USER)) - insert_env(format_env("USER", user_name, VNULL), 0); + insert_env(format_env("USER", user_name, VNULL), &env, 0); + if (!ISSET(didvar, DID_USERNAME)) + insert_env(format_env("USERNAME", user_name, VNULL), &env, 0); } } else { /* @@ -423,7 +499,7 @@ * env_check. */ for (ep = envp; *ep; ep++) { - okvar = 1; + int okvar; /* Skip variables with values beginning with () (bash functions) */ if ((cp = strchr(*ep, '=')) != NULL) { @@ -431,37 +507,14 @@ continue; } - /* Skip anything listed in env_delete. */ - for (cur = def_env_delete; cur && okvar; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ - if (cur->value[len - 1] == '*') { - len--; - iswild = 1; - } else - iswild = 0; - if (strncmp(cur->value, *ep, len) == 0 && - (iswild || (*ep)[len] == '=')) { - okvar = 0; - } - } + /* + * First check variables against the blacklist in env_delete. + * If no match there check for '%' and '/' characters. + */ + okvar = matches_env_delete(*ep) != TRUE; + if (okvar) + okvar = matches_env_check(*ep) != FALSE; - /* Check certain variables for '%' and '/' characters. */ - for (cur = def_env_check; cur && okvar; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ - if (cur->value[len - 1] == '*') { - len--; - iswild = 1; - } else - iswild = 0; - if (strncmp(cur->value, *ep, len) == 0 && - (iswild || (*ep)[len] == '=') && - strpbrk(*ep, "/%")) { - okvar = 0; - } - } - if (okvar) { if (strncmp(*ep, "SUDO_PS1=", 9) == 0) ps1 = *ep + 5; @@ -469,31 +522,43 @@ SET(didvar, DID_PATH); else if (strncmp(*ep, "TERM=", 5) == 0) SET(didvar, DID_TERM); - insert_env(*ep, 0); + insert_env(*ep, &env, 0); } } } - /* Provide default values for $TERM and $PATH if they are not set. */ - if (!ISSET(didvar, DID_TERM)) - insert_env("TERM=unknown", 0); - if (!ISSET(didvar, DID_PATH)) - insert_env(format_env("PATH", _PATH_DEFPATH, VNULL), 0); #ifdef SECURE_PATH /* Replace the PATH envariable with a secure one. */ - insert_env(format_env("PATH", SECURE_PATH, VNULL), 1); + if (!user_is_exempt()) { + insert_env(format_env("PATH", SECURE_PATH, VNULL), &env, 1); + SET(didvar, DID_PATH); + } #endif - /* Set $USER and $LOGNAME to target if "set_logname" is true. */ + /* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is true. */ if (def_set_logname && runas_pw->pw_name) { - insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), 1); - insert_env(format_env("USER", runas_pw->pw_name, VNULL), 1); + if (!ISSET(didvar, KEPT_LOGNAME)) + insert_env(format_env("LOGNAME", runas_pw->pw_name, VNULL), &env, 1); + if (!ISSET(didvar, KEPT_USER)) + insert_env(format_env("USER", runas_pw->pw_name, VNULL), &env, 1); + if (!ISSET(didvar, KEPT_USERNAME)) + insert_env(format_env("USERNAME", runas_pw->pw_name, VNULL), &env, 1); } /* Set $HOME for `sudo -H'. Only valid at PERM_FULL_RUNAS. */ - if (ISSET(sudo_mode, MODE_RESET_HOME) && runas_pw->pw_dir) - insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), 1); + if (runas_pw->pw_dir) { + if (ISSET(sudo_mode, MODE_RESET_HOME) || + (ISSET(sudo_mode, MODE_RUN) && (def_always_set_home || + (ISSET(sudo_mode, MODE_SHELL) && def_set_home)))) + insert_env(format_env("HOME", runas_pw->pw_dir, VNULL), &env, 1); + } + /* Provide default values for $TERM and $PATH if they are not set. */ + if (!ISSET(didvar, DID_TERM)) + insert_env("TERM=unknown", &env, 0); + if (!ISSET(didvar, DID_PATH)) + insert_env(format_env("PATH", _PATH_DEFPATH, VNULL), &env, 0); + /* * Preload a noexec file? For a list of LD_PRELOAD-alikes, see * http://www.fortran-2000.com/ArnaudRecipes/sharedlib.html @@ -501,44 +566,144 @@ */ if (noexec && def_noexec_file != NULL) { #if defined(__darwin__) || defined(__APPLE__) - insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file, VNULL), 1); - insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), 1); + insert_env(format_env("DYLD_INSERT_LIBRARIES", def_noexec_file, VNULL), + &env, 1); + insert_env(format_env("DYLD_FORCE_FLAT_NAMESPACE", VNULL), &env, 1); #else # if defined(__osf__) || defined(__sgi) - insert_env(format_env("_RLD_LIST", def_noexec_file, ":DEFAULT", VNULL), 1); + insert_env(format_env("_RLD_LIST", def_noexec_file, ":DEFAULT", VNULL), + &env, 1); # else - insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), 1); -# endif -#endif +# ifdef _AIX + insert_env(format_env("LDR_PRELOAD", def_noexec_file, VNULL), &env, 1); +# else + insert_env(format_env("LD_PRELOAD", def_noexec_file, VNULL), &env, 1); +# endif /* _AIX */ +# endif /* __osf__ || __sgi */ +#endif /* __darwin__ || __APPLE__ */ } /* Set PS1 if SUDO_PS1 is set. */ if (ps1) - insert_env(ps1, 1); + insert_env(ps1, &env, 1); /* Add the SUDO_COMMAND envariable (cmnd + args). */ if (user_args) - insert_env(format_env("SUDO_COMMAND", user_cmnd, " ", user_args, VNULL), 1); + insert_env(format_env("SUDO_COMMAND", user_cmnd, " ", user_args, VNULL), + &env, 1); else - insert_env(format_env("SUDO_COMMAND", user_cmnd, VNULL), 1); + insert_env(format_env("SUDO_COMMAND", user_cmnd, VNULL), &env, 1); /* Add the SUDO_USER, SUDO_UID, SUDO_GID environment variables. */ - insert_env(format_env("SUDO_USER", user_name, VNULL), 1); + insert_env(format_env("SUDO_USER", user_name, VNULL), &env, 1); easprintf(&cp, "SUDO_UID=%lu", (unsigned long) user_uid); - insert_env(cp, 1); + insert_env(cp, &env, 1); easprintf(&cp, "SUDO_GID=%lu", (unsigned long) user_gid); - insert_env(cp, 1); + insert_env(cp, &env, 1); - return(new_environ); + return(env.envp); } +char ** +insert_env_vars(envp, env_vars) + char **envp; + struct list_member *env_vars; +{ + struct list_member *cur; + + if (env_vars == NULL) + return (envp); + + /* + * Make sure we still own the environment and steal it back if not. + */ + if (env.envp != envp) { + size_t evlen; + char **ep; + + for (ep = envp; *ep != NULL; ep++) + continue; + evlen = ep - envp; + if (evlen + 1 > env.env_size) { + efree(env.envp); + env.env_size = evlen + 1 + 128; + env.envp = emalloc2(env.env_size, sizeof(char *)); + } + memcpy(env.envp, envp, evlen + 1); + env.env_len = evlen; + } + + /* Add user-specified environment variables. */ + for (cur = env_vars; cur != NULL; cur = cur->next) + insert_env(cur->value, &env, 1); + + return(env.envp); +} + +/* + * Validate the list of environment variables passed in on the command + * line against env_delete, env_check, and env_keep. + * Calls log_error() if any specified variables are not allowed. + */ void +validate_env_vars(env_vars) + struct list_member *env_vars; +{ + struct list_member *var; + char *eq, *bad = NULL; + size_t len, blen = 0, bsize = 0; + int okvar; + + for (var = env_vars; var != NULL; var = var->next) { +#ifdef SECURE_PATH + if (!user_is_exempt() && strncmp(var->value, "PATH=", 5) == 0) { + okvar = FALSE; + } else +#endif + if (def_env_reset) { + okvar = matches_env_check(var->value); + if (okvar == -1) + okvar = matches_env_keep(var->value); + } else { + okvar = matches_env_delete(var->value) == FALSE; + if (okvar == FALSE) + okvar = matches_env_check(var->value) != FALSE; + } + if (okvar == FALSE) { + /* Not allowed, add to error string, allocating as needed. */ + if ((eq = strchr(var->value, '=')) != NULL) + *eq = '\0'; + len = strlen(var->value) + 2; + if (blen + len >= bsize) { + do { + bsize += 1024; + } while (blen + len >= bsize); + bad = erealloc(bad, bsize); + bad[blen] = '\0'; + } + strlcat(bad, var->value, bsize); + strlcat(bad, ", ", bsize); + blen += len; + if (eq != NULL) + *eq = '='; + } + } + if (bad != NULL) { + bad[blen - 2] = '\0'; /* remove trailing ", " */ + log_error(NO_MAIL, + "sorry, you are not allowed to set the following environment variables: %s", bad); + /* NOTREACHED */ + efree(bad); + } +} + +void init_envtables() { struct list_member *cur; const char **p; - /* Fill in "env_delete" variable. */ + /* Fill in the "env_delete" list. */ for (p = initial_badenv_table; *p; p++) { cur = emalloc(sizeof(struct list_member)); cur->value = estrdup(*p); @@ -546,11 +711,19 @@ def_env_delete = cur; } - /* Fill in "env_check" variable. */ + /* Fill in the "env_check" list. */ for (p = initial_checkenv_table; *p; p++) { cur = emalloc(sizeof(struct list_member)); cur->value = estrdup(*p); cur->next = def_env_check; def_env_check = cur; + } + + /* Fill in the "env_keep" list. */ + for (p = initial_keepenv_table; *p; p++) { + cur = emalloc(sizeof(struct list_member)); + cur->value = estrdup(*p); + cur->next = def_env_keep; + def_env_keep = cur; } }