isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't allow pam_env to overwrite existing variables when env_reset

Browse Source 
is disabled unless the variables match the black list and would
normally be removed.  It may just be better to never overwrite when
env_reset is disabled.
This commit is contained in:
Todd C. Miller
2014-08-11 10:37:08 -06:00
parent 2f472d5966
commit c49ca1d315
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
plugins/sudoers/env.c
View File

@@ -680,6 +680,7 @@ env_should_keep(const char *var)
debug_return_bool(keepit == true); debug_return_bool(keepit == true);
} }
#ifdef HAVE_PAM
/* /*
* Merge another environment with our private copy. * Merge another environment with our private copy.
* Only overwrite an existing variable if it is not * Only overwrite an existing variable if it is not
@@ -694,8 +695,9 @@ env_merge(char * const envp[])
debug_decl(env_merge, SUDO_DEBUG_ENV) debug_decl(env_merge, SUDO_DEBUG_ENV)
for (ep = envp; *ep != NULL; ep++) { for (ep = envp; *ep != NULL; ep++) {
/* XXX - avoid checking value here too */ /* XXX - avoid checking value here, should only check name */
if (sudo_putenv(*ep, true, !env_should_keep(*ep)) == -1) { bool overwrite = def_env_reset ? !env_should_keep(*ep) : env_should_delete(*ep);
if (sudo_putenv(*ep, true, overwrite) == -1) {
/* XXX cannot undo on failure */ /* XXX cannot undo on failure */
rval = false; rval = false;
break; break;
@@ -703,6 +705,7 @@ env_merge(char * const envp[])
} }
debug_return_bool(rval); debug_return_bool(rval);
} }
#endif /* HAVE_PAM */
static void static void
env_update_didvar(const char *ep, unsigned int *didvar) env_update_didvar(const char *ep, unsigned int *didvar)