From owner-freebsd-audit Thu Feb 8 13:19: 6 2001 Delivered-To: freebsd-audit@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id A8BD237B401 for ; Thu, 8 Feb 2001 13:18:46 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 2B33D18C93 for ; Thu, 8 Feb 2001 15:18:46 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.2/8.9.3) id f18LIkt58897 for freebsd-audit@freebsd.org; Thu, 8 Feb 2001 15:18:46 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Thu, 8 Feb 2001 15:18:45 -0600 From: "Jacques A. Vidrine" To: freebsd-audit@freebsd.org Subject: login: exporting PAM environment Message-ID: <20010208151845.A58884@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-audit@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Url: http://www.nectar.com/ Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, Please have a look at the following patch. This corrects login so that it exports environmental variables set by PAM modules. This is particularly important for certain options of pam_krb5. --- login.c.orig Thu Feb 8 07:14:50 2001 +++ login.c Thu Feb 8 15:13:44 2001 @@ -106,6 +106,8 @@ #ifndef NO_PAM static int auth_pam __P((void)); +static int export_pam_environment __P((void)); +static int ok_to_export __P((const char *)); #endif static int auth_traditional __P((void)); extern void login __P((struct utmp *)); @@ -128,6 +130,9 @@ int failures; char *term, *envinit[1], *hostname, *username, *tty; char full_hostname[MAXHOSTNAMELEN]; +#ifndef NO_PAM +static char **environ_pam; +#endif int main(argc, argv) @@ -548,6 +553,15 @@ if (!pflag) environ = envinit; +#ifndef NO_PAM + /* + * Add any environmental variables that the + * PAM modules may have set. + */ + if (environ_pam) + export_pam_environment(); +#endif + /* * We don't need to be root anymore, so * set the user and session context @@ -718,6 +732,7 @@ PAM_SUCCESS) syslog(LOG_ERR, "Couldn't establish credentials: %s", pam_strerror(pamh, e)); + environ_pam = pam_getenvlist(pamh); rval = 0; break; @@ -737,6 +752,47 @@ rval = -1; } return rval; +} + +static int +export_pam_environment() +{ + char **pp; + + for (pp = environ_pam; *pp != NULL; pp++) { + if (ok_to_export(*pp)) + (void) putenv(*pp); + free(*pp); + } + return PAM_SUCCESS; +} + +/* + * Sanity checks on PAM environmental variables: + * - Make sure there is an '=' in the string. + * - Make sure the string doesn't run on too long. + * - Do not export certain variables. This list was taken from the + * Solaris pam_putenv(3) man page. + */ +static int +ok_to_export(s) + const char *s; +{ + static const char *noexport[] = { + "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH", + "IFS", "PATH", NULL + }; + const char **pp; + + if (strlen(s) > 1024 || strchr(s, '=') == NULL) + return 0; + if (strncmp(s, "LD_", 3) == 0) + return 0; + for (pp = noexport; *pp != NULL; pp++) { + if (strcmp(s, *pp) == 0) + return 0; + } + return 1; } #endif /* NO_PAM */ Cheers, -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message