If some, but not all, of the LOGNAME, USER or USERNAME environment

variables have been preserved from the invoking user's environment,
sudo will now use the preserved value to set the remaining variables
instead of using the runas user.  This ensures that if, for example,
only LOGNAME is present in the env_keep list, that sudo will not
set USER and USERNAME to the runas user.

diff --git a/NEWS b/NEWS
index d0a97cb37ebefb0ea673b895c16c9ae757db6e3e..0b72c736a3c956a4b29ddbdb0a4d9962c75e603e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,13 @@ What's new in Sudo 1.8.15
    command when the terminal is closed and the command is not run
    in its own pseudo-tty.  Bug #719
 
+ * If some, but not all, of the LOGNAME, USER or USERNAME environment
+   variables have been preserved from the invoking user's environment,
+   sudo will now use the preserved value to set the remaining variables
+   instead of using the runas user.  This ensures that if, for example,
+   only LOGNAME is present in the env_keep list, that sudo will not
+   set USER and USERNAME to the runas user.
+
 What's new in Sudo 1.8.14p3
 
  * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo

diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c
index 4a91ac850d545c25c98ed7b82b0fe19be9946491..39d24dfb0fda478eed832715241c3206d5d27694 100644 (file)
--- a/plugins/sudoers/env.c
+++ b/plugins/sudoers/env.c
@@ -941,7 +941,7 @@ rebuild_env(void)
        } else {
            if (!ISSET(didvar, DID_SHELL))
                CHECK_SETENV2("SHELL", sudo_user.pw->pw_shell, false, true);
-           /* We will set LOGNAME later in the !def_set_logname case. */
+           /* We will set LOGNAME later in the def_set_logname case. */
            if (!def_set_logname) {
                if (!ISSET(didvar, DID_LOGNAME))
                    CHECK_SETENV2("LOGNAME", user_name, false, true);
@@ -1001,16 +1001,38 @@ rebuild_env(void)
     /*
      * Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is not
      * disabled.  We skip this if we are running a login shell (because
-     * they have already been set) or sudoedit (because we want the editor
-     * to find the invoking user's startup files).
+     * they have already been set).
      */
     if (def_set_logname && !ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
-       if (!ISSET(didvar, KEPT_LOGNAME))
+       if (!ISSET(didvar, (KEPT_LOGNAME|KEPT_USER|KEPT_USERNAME))) {
+           /* Nothing preserved, set all three. */
            CHECK_SETENV2("LOGNAME", runas_pw->pw_name, true, true);
-       if (!ISSET(didvar, KEPT_USER))
            CHECK_SETENV2("USER", runas_pw->pw_name, true, true);
-       if (!ISSET(didvar, KEPT_USERNAME))
            CHECK_SETENV2("USERNAME", runas_pw->pw_name, true, true);
+       } else if ((didvar & (KEPT_LOGNAME|KEPT_USER|KEPT_USERNAME)) !=
+           (KEPT_LOGNAME|KEPT_USER|KEPT_USERNAME)) {
+           /*
+            * Preserved some of LOGNAME, USER, USERNAME but not all.
+            * Make the unset ones match so we don't end up with some
+            * set to the invoking user and others set to the runas user.
+            */
+           if (ISSET(didvar, KEPT_LOGNAME))
+               cp = sudo_getenv("LOGNAME");
+           else if (ISSET(didvar, KEPT_USER))
+               cp = sudo_getenv("USER");
+           else if (ISSET(didvar, KEPT_USERNAME))
+               cp = sudo_getenv("USERNAME");
+           else
+               cp = NULL;
+           if (cp != NULL) {
+               if (!ISSET(didvar, KEPT_LOGNAME))
+                   CHECK_SETENV2("LOGNAME", cp, true, true);
+               if (!ISSET(didvar, KEPT_USER))
+                   CHECK_SETENV2("USER", cp, true, true);
+               if (!ISSET(didvar, KEPT_USERNAME))
+                   CHECK_SETENV2("USERNAME", cp, true, true);
+           }
+       }
     }
 
     /* Set $HOME to target user if not preserving user's value. */