Pass a pointer to user_env in to the init_session policy plugin
function so session setup can modify the user environment as needed. For PAM authentication, merge the PAM environment with the user environment at init_session time. We no longer need to swap in the user_env for environ during session init, nor do we need to disable the env hooks at init_session time.
This commit is contained in:
Todd C. Miller
39
src/sudo.c
39
src/sudo.c
@@ -130,7 +130,7 @@ static int policy_list(struct plugin_container *plugin, int argc,
|
||||
static int policy_validate(struct plugin_container *plugin);
|
||||
static void policy_invalidate(struct plugin_container *plugin, int remove);
|
||||
static int policy_init_session(struct plugin_container *plugin,
|
||||
struct passwd *pwd);
|
||||
struct passwd *pwd, char **user_env[]);
|
||||
|
||||
/* I/O log plugin convenience functions. */
|
||||
static int iolog_open(struct plugin_container *plugin, char * const settings[],
|
||||
@@ -148,8 +148,6 @@ static struct rlimit corelimit;
|
||||
static struct rlimit nproclimit;
|
||||
#endif
|
||||
|
||||
extern char **environ;
|
||||
|
||||
int
|
||||
main(int argc, char *argv[], char *envp[])
|
||||
{
|
||||
@@ -285,9 +283,6 @@ main(int argc, char *argv[], char *envp[])
|
||||
plugin->name);
|
||||
}
|
||||
}
|
||||
/* Now that we have the command's environment, disable env hooks. */
|
||||
deregister_env_hooks();
|
||||
|
||||
/* Setup command details and run command/edit. */
|
||||
command_info_to_details(command_info, &command_details);
|
||||
command_details.argv = argv_out;
|
||||
@@ -850,17 +845,11 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
|
||||
aix_restoreauthdb();
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Swap in the plugin-supplied environment in case session init
|
||||
* modifies the environment. This is kind of a hack.
|
||||
*/
|
||||
environ = details->envp;
|
||||
|
||||
/*
|
||||
* Call policy plugin's session init before other setup occurs.
|
||||
* The session init code is expected to print an error as needed.
|
||||
*/
|
||||
if (policy_init_session(&policy_plugin, pw) != true)
|
||||
if (policy_init_session(&policy_plugin, pw, &details->envp) != true)
|
||||
goto done;
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
@@ -912,9 +901,6 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
|
||||
#endif /* HAVE_LOGIN_CAP_H */
|
||||
}
|
||||
|
||||
/* Update the environment pointer in command details */
|
||||
details->envp = environ;
|
||||
|
||||
/*
|
||||
* Set groups, including supplementary group vector.
|
||||
*/
|
||||
@@ -1148,12 +1134,25 @@ policy_invalidate(struct plugin_container *plugin, int remove)
|
||||
}
|
||||
|
||||
static int
|
||||
policy_init_session(struct plugin_container *plugin, struct passwd *pwd)
|
||||
policy_init_session(struct plugin_container *plugin, struct passwd *pwd, char **user_env[])
|
||||
{
|
||||
int rval = true;
|
||||
debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
|
||||
if (plugin->u.policy->init_session)
|
||||
debug_return_bool(plugin->u.policy->init_session(pwd));
|
||||
debug_return_bool(true);
|
||||
|
||||
if (plugin->u.policy->init_session) {
|
||||
/*
|
||||
* Backwards compatibility for older API versions
|
||||
*/
|
||||
switch (plugin->u.generic->version) {
|
||||
case SUDO_API_MKVERSION(1, 0):
|
||||
case SUDO_API_MKVERSION(1, 1):
|
||||
rval = plugin->u.policy_1_0->init_session(pwd);
|
||||
break;
|
||||
default:
|
||||
rval = plugin->u.policy->init_session(pwd, user_env);
|
||||
}
|
||||
}
|
||||
debug_return_bool(rval);
|
||||
}
|
||||
|
||||
static int
|
||||
|
||||
Reference in New Issue
Block a user