Date: Thu, 8 Feb 2001 15:18:45 -0600 From: "Jacques A. Vidrine" <n@nectar.com> To: freebsd-audit@freebsd.org Subject: login: exporting PAM environment Message-ID: <20010208151845.A58884@hamlet.nectar.com>
next in thread | raw e-mail | index | archive | help
Hello,
Please have a look at the following patch. This corrects login so
that it exports environmental variables set by PAM modules. This is
particularly important for certain options of pam_krb5.
--- login.c.orig Thu Feb 8 07:14:50 2001
+++ login.c Thu Feb 8 15:13:44 2001
@@ -106,6 +106,8 @@
#ifndef NO_PAM
static int auth_pam __P((void));
+static int export_pam_environment __P((void));
+static int ok_to_export __P((const char *));
#endif
static int auth_traditional __P((void));
extern void login __P((struct utmp *));
@@ -128,6 +130,9 @@
int failures;
char *term, *envinit[1], *hostname, *username, *tty;
char full_hostname[MAXHOSTNAMELEN];
+#ifndef NO_PAM
+static char **environ_pam;
+#endif
int
main(argc, argv)
@@ -548,6 +553,15 @@
if (!pflag)
environ = envinit;
+#ifndef NO_PAM
+ /*
+ * Add any environmental variables that the
+ * PAM modules may have set.
+ */
+ if (environ_pam)
+ export_pam_environment();
+#endif
+
/*
* We don't need to be root anymore, so
* set the user and session context
@@ -718,6 +732,7 @@
PAM_SUCCESS)
syslog(LOG_ERR, "Couldn't establish credentials: %s",
pam_strerror(pamh, e));
+ environ_pam = pam_getenvlist(pamh);
rval = 0;
break;
@@ -737,6 +752,47 @@
rval = -1;
}
return rval;
+}
+
+static int
+export_pam_environment()
+{
+ char **pp;
+
+ for (pp = environ_pam; *pp != NULL; pp++) {
+ if (ok_to_export(*pp))
+ (void) putenv(*pp);
+ free(*pp);
+ }
+ return PAM_SUCCESS;
+}
+
+/*
+ * Sanity checks on PAM environmental variables:
+ * - Make sure there is an '=' in the string.
+ * - Make sure the string doesn't run on too long.
+ * - Do not export certain variables. This list was taken from the
+ * Solaris pam_putenv(3) man page.
+ */
+static int
+ok_to_export(s)
+ const char *s;
+{
+ static const char *noexport[] = {
+ "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
+ "IFS", "PATH", NULL
+ };
+ const char **pp;
+
+ if (strlen(s) > 1024 || strchr(s, '=') == NULL)
+ return 0;
+ if (strncmp(s, "LD_", 3) == 0)
+ return 0;
+ for (pp = noexport; *pp != NULL; pp++) {
+ if (strcmp(s, *pp) == 0)
+ return 0;
+ }
+ return 1;
}
#endif /* NO_PAM */
Cheers,
--
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010208151845.A58884>