From: Lennart Poettering Date: Mon, 4 Feb 2019 09:23:43 +0000 (+0100) Subject: pam-systemd: use secure_getenv() rather than getenv() X-Git-Tag: archive/raspbian/241-7_deb10u7+rpi1^2~61 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=06a5f62ee9c64d7c9315f4fc52840c98cbffc59b;p=systemd.git pam-systemd: use secure_getenv() rather than getenv() And explain why in a comment. (cherry picked from commit 83d4ab55336ff8a0643c6aa627b31e351a24040a) Gbp-Pq: Name pam-systemd-use-secure_getenv-rather-than-getenv.patch --- diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c index 997b74eb..ea245c8b 100644 --- a/src/login/pam_systemd.c +++ b/src/login/pam_systemd.c @@ -316,14 +316,21 @@ static const char* getenv_harder(pam_handle_t *handle, const char *key, const ch assert(handle); assert(key); - /* Looks for an environment variable, preferrably in the environment block associated with the specified PAM - * handle, falling back to the process' block instead. */ + /* Looks for an environment variable, preferrably in the environment block associated with the + * specified PAM handle, falling back to the process' block instead. Why check both? Because we want + * to permit configuration of session properties from unit files that invoke PAM services, so that + * PAM services don't have to be reworked to set systemd-specific properties, but these properties + * can still be set from the unit file Environment= block. */ v = pam_getenv(handle, key); if (!isempty(v)) return v; - v = getenv(key); + /* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally + * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they + * currently don't (to be precise, they clean up the environment they pass to their children, but + * not their own environ[]). */ + v = secure_getenv(key); if (!isempty(v)) return v;