Move LOGIN_PATH and LOGIN_SETENV handling to plugin now that we

hook setenv.

plugins/sudoers/sudoers.c

@@ -70,6 +70,9 @@
 # ifndef LOGIN_DEFROOTCLASS
 #  define LOGIN_DEFROOTCLASS	"daemon"
 # endif
+# ifndef LOGIN_SETENV
+#  define LOGIN_SETENV	0
+# endif
 #endif
 #ifdef HAVE_SELINUX
 # include <selinux/selinux.h>
@@ -595,6 +598,16 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	/* Insert system-wide environment variables. */
 	read_env_file(_PATH_ENVIRONMENT, true);
 #endif
+#ifdef HAVE_LOGIN_CAP_H
+	/* Set environment based on login class. */
+	if (login_class) {
+	    login_cap_t *lc = login_getclass(login_class);
+	    if (lc != NULL) {
+		setusercontext(lc, runas_pw, runas_pw->pw_uid, LOGIN_SETPATH|LOGIN_SETENV);
+		login_close(lc);
+	    }
+	}
+#endif /* HAVE_LOGIN_CAP_H */
     }
 
     /* Insert system-wide environment variables. */

src/sudo.c

@@ -63,6 +63,9 @@
 #endif
 #ifdef HAVE_LOGIN_CAP_H
 # include <login_cap.h>
+# ifndef LOGIN_SETENV
+#  define LOGIN_SETENV	0
+# endif
 #endif
 #ifdef HAVE_PROJECT_H
 # include <project.h>
@@ -846,8 +849,7 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
 
     /*
      * Swap in the plugin-supplied environment in case session init
-     * modifies the environment.  Also needed for LOGIN_SETENV.
+     * modifies the environment.  This is kind of a hack.
-     * This is kind of a hack.
      */
     environ = details->envp;
 
@@ -891,7 +893,7 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
 	    if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
 		/* Set everything except user, group and login name. */
 		flags = LOGIN_SETALL;
-		CLR(flags, LOGIN_SETGROUP|LOGIN_SETLOGIN|LOGIN_SETUSER);
+		CLR(flags, LOGIN_SETGROUP|LOGIN_SETLOGIN|LOGIN_SETUSER|LOGIN_SETENV|LOGIN_SETPATH);
 		CLR(details->flags, CD_SET_UMASK); /* LOGIN_UMASK instead */
 	    } else {
 		flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;