From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 7 Mar 2012 21:38:57 +0000 (-0500)
Subject: Move LOGIN_PATH and LOGIN_SETENV handling to plugin now that we
X-Git-Tag: SUDO_1_8_5~1^2~173
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d4a3a5d8b900d076a4db9ad9e1c41e44a7cb5940;p=sudo

Move LOGIN_PATH and LOGIN_SETENV handling to plugin now that we
hook setenv.
---

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 7efb8df12..fbbcc3361 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -70,6 +70,9 @@
 # ifndef LOGIN_DEFROOTCLASS
 #  define LOGIN_DEFROOTCLASS	"daemon"
 # endif
+# ifndef LOGIN_SETENV
+#  define LOGIN_SETENV	0
+# endif
 #endif
 #ifdef HAVE_SELINUX
 # include <selinux/selinux.h>
@@ -595,6 +598,16 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	/* Insert system-wide environment variables. */
 	read_env_file(_PATH_ENVIRONMENT, true);
 #endif
+#ifdef HAVE_LOGIN_CAP_H
+	/* Set environment based on login class. */
+	if (login_class) {
+	    login_cap_t *lc = login_getclass(login_class);
+	    if (lc != NULL) {
+		setusercontext(lc, runas_pw, runas_pw->pw_uid, LOGIN_SETPATH|LOGIN_SETENV);
+		login_close(lc);
+	    }
+	}
+#endif /* HAVE_LOGIN_CAP_H */
     }
 
     /* Insert system-wide environment variables. */
diff --git a/src/sudo.c b/src/sudo.c
index a0c94fd05..3bc99ada4 100644
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -63,6 +63,9 @@
 #endif
 #ifdef HAVE_LOGIN_CAP_H
 # include <login_cap.h>
+# ifndef LOGIN_SETENV
+#  define LOGIN_SETENV	0
+# endif
 #endif
 #ifdef HAVE_PROJECT_H
 # include <project.h>
@@ -846,8 +849,7 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
 
     /*
      * Swap in the plugin-supplied environment in case session init
-     * modifies the environment.  Also needed for LOGIN_SETENV.
-     * This is kind of a hack.
+     * modifies the environment.  This is kind of a hack.
      */
     environ = details->envp;
 
@@ -891,7 +893,7 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
 	    if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
 		/* Set everything except user, group and login name. */
 		flags = LOGIN_SETALL;
-		CLR(flags, LOGIN_SETGROUP|LOGIN_SETLOGIN|LOGIN_SETUSER);
+		CLR(flags, LOGIN_SETGROUP|LOGIN_SETLOGIN|LOGIN_SETUSER|LOGIN_SETENV|LOGIN_SETPATH);
 		CLR(details->flags, CD_SET_UMASK); /* LOGIN_UMASK instead */
 	    } else {
 		flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;