From c49ca1d315b5c6ca1d6ed6c69d8ca324ef82d91b Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 11 Aug 2014 10:37:08 -0600 Subject: [PATCH] Don't allow pam_env to overwrite existing variables when env_reset is disabled unless the variables match the black list and would normally be removed. It may just be better to never overwrite when env_reset is disabled. --- plugins/sudoers/env.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c index ddc4738c8..482e14c1d 100644 --- a/plugins/sudoers/env.c +++ b/plugins/sudoers/env.c @@ -680,6 +680,7 @@ env_should_keep(const char *var) debug_return_bool(keepit == true); } +#ifdef HAVE_PAM /* * Merge another environment with our private copy. * Only overwrite an existing variable if it is not @@ -694,8 +695,9 @@ env_merge(char * const envp[]) debug_decl(env_merge, SUDO_DEBUG_ENV) for (ep = envp; *ep != NULL; ep++) { - /* XXX - avoid checking value here too */ - if (sudo_putenv(*ep, true, !env_should_keep(*ep)) == -1) { + /* XXX - avoid checking value here, should only check name */ + bool overwrite = def_env_reset ? !env_should_keep(*ep) : env_should_delete(*ep); + if (sudo_putenv(*ep, true, overwrite) == -1) { /* XXX cannot undo on failure */ rval = false; break; @@ -703,6 +705,7 @@ env_merge(char * const envp[]) } debug_return_bool(rval); } +#endif /* HAVE_PAM */ static void env_update_didvar(const char *ep, unsigned int *didvar)