Date: Thu, 8 Feb 2001 15:18:45 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: freebsd-audit@freebsd.org Subject: login: exporting PAM environment Message-ID: <20010208151845.A58884@hamlet.nectar.com>
next in thread | raw e-mail | index | archive | help
Hello, Please have a look at the following patch. This corrects login so that it exports environmental variables set by PAM modules. This is particularly important for certain options of pam_krb5. --- login.c.orig Thu Feb 8 07:14:50 2001 +++ login.c Thu Feb 8 15:13:44 2001 @@ -106,6 +106,8 @@ #ifndef NO_PAM static int auth_pam __P((void)); +static int export_pam_environment __P((void)); +static int ok_to_export __P((const char *)); #endif static int auth_traditional __P((void)); extern void login __P((struct utmp *)); @@ -128,6 +130,9 @@ int failures; char *term, *envinit[1], *hostname, *username, *tty; char full_hostname[MAXHOSTNAMELEN]; +#ifndef NO_PAM +static char **environ_pam; +#endif int main(argc, argv) @@ -548,6 +553,15 @@ if (!pflag) environ = envinit; +#ifndef NO_PAM + /* + * Add any environmental variables that the + * PAM modules may have set. + */ + if (environ_pam) + export_pam_environment(); +#endif + /* * We don't need to be root anymore, so * set the user and session context @@ -718,6 +732,7 @@ PAM_SUCCESS) syslog(LOG_ERR, "Couldn't establish credentials: %s", pam_strerror(pamh, e)); + environ_pam = pam_getenvlist(pamh); rval = 0; break; @@ -737,6 +752,47 @@ rval = -1; } return rval; +} + +static int +export_pam_environment() +{ + char **pp; + + for (pp = environ_pam; *pp != NULL; pp++) { + if (ok_to_export(*pp)) + (void) putenv(*pp); + free(*pp); + } + return PAM_SUCCESS; +} + +/* + * Sanity checks on PAM environmental variables: + * - Make sure there is an '=' in the string. + * - Make sure the string doesn't run on too long. + * - Do not export certain variables. This list was taken from the + * Solaris pam_putenv(3) man page. + */ +static int +ok_to_export(s) + const char *s; +{ + static const char *noexport[] = { + "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH", + "IFS", "PATH", NULL + }; + const char **pp; + + if (strlen(s) > 1024 || strchr(s, '=') == NULL) + return 0; + if (strncmp(s, "LD_", 3) == 0) + return 0; + for (pp = noexport; *pp != NULL; pp++) { + if (strcmp(s, *pp) == 0) + return 0; + } + return 1; } #endif /* NO_PAM */ Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010208151845.A58884>