From 261f8190739a049d3adf0821f481c3cff8a0e5c2 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 16 Jan 2002 21:28:25 +0000
Subject: [PATCH] o when invoking the mailer as root use a hard-coded
 environment that   doesn't include any info from the user's environment. 
 Basically   paranoia.

o Add support for the NO_ROOT_MAILER compile-time option and run the
  mailer as the user and not root if NO_ROOT_MAILER is defined.
---
 logging.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/logging.c b/logging.c
index e0456379b..56f15b6a9 100644
--- a/logging.c
+++ b/logging.c
@@ -439,6 +439,15 @@ send_mail(line)
     char *p;
     int pfd[2], pid, status;
     sigset_t set, oset;
+#ifndef NO_ROOT_MAILER
+    static char *root_envp[] = {
+	"HOME=/",
+	"PATH=/usr/bin:/bin",
+	"LOGNAME=root",
+	"USER=root",
+	NULL
+    };
+#endif
 
     /* Just return if mailer is disabled. */
     if (!def_str(I_MAILERPATH) || !def_str(I_MAILTO))
@@ -493,9 +502,17 @@ send_mail(line)
 		/* Close password file so we don't leak the fd. */
 		endpwent();
 
-		/* Run mailer as root so user cannot kill it. */
+		/*
+		 * Depending on the config, either run the mailer as root
+		 * (so user cannot kill it) or as the user (for the paranoid).
+		 */
+#ifndef NO_ROOT_MAILER
 		set_perms(PERM_FULL_ROOT, 0);
+		execve(mpath, argv, root_envp);
+#else
+		set_perms(PERM_FULL_USER, 0);
 		execv(mpath, argv);
+#endif /* NO_ROOT_MAILER */
 		_exit(127);
 	    }
 	    break;
-- 
2.40.0