isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't allow pam_env to overwrite existing variables when env_reset

Browse Source 
is disabled unless the variables match the black list and would
normally be removed.  It may just be better to never overwrite when
env_reset is disabled.
This commit is contained in:
Todd C. Miller
2014-08-11 10:37:08 -06:00
parent 2f472d5966
commit c49ca1d315
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
plugins/sudoers/env.c
View File

@@ -680,6 +680,7 @@ env_should_keep(const char *var)
debug_return_bool(keepit == true);
}
#ifdef HAVE_PAM
/*
* Merge another environment with our private copy.
* Only overwrite an existing variable if it is not
@@ -694,8 +695,9 @@ env_merge(char * const envp[])
debug_decl(env_merge, SUDO_DEBUG_ENV)
for (ep = envp; *ep != NULL; ep++) {
/* XXX - avoid checking value here too */
if (sudo_putenv(*ep, true, !env_should_keep(*ep)) == -1) {
/* XXX - avoid checking value here, should only check name */
bool overwrite = def_env_reset ? !env_should_keep(*ep) : env_should_delete(*ep);
if (sudo_putenv(*ep, true, overwrite) == -1) {
/* XXX cannot undo on failure */
rval = false;
break;
@@ -703,6 +705,7 @@ env_merge(char * const envp[])
}
debug_return_bool(rval);
}
#endif /* HAVE_PAM */
static void
env_update_didvar(const char *ep, unsigned int *didvar)