#ifdef HAVE_SETUSERCONTEXT
if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
+ LOGIN_SETPATH |
LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
LOGIN_SETUSER) != 0)
errx(1, "failed to set user context for target");
syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
mypw->pw_name, cmdline, targpw->pw_name, cwd);
- envp = prepenv(rule);
+ envp = prepenv(rule, mypw, targpw);
if (rule->cmd) {
+ /* do this again after setusercontext reset it */
if (setenv("PATH", safepath, 1) == -1)
err(1, "failed to set PATH '%s'", safepath);
}
#include <err.h>
#include <unistd.h>
#include <errno.h>
+#include <pwd.h>
#include "doas.h"
#include "includes.h"
u_int count;
};
+static void fillenv(struct env *env, const char **envlist);
+
static int
envcmp(struct envnode *a, struct envnode *b)
{
free(node);
}
+static void
+addnode(struct env *env, const char *key, const char *value)
+{
+ struct envnode *node;
+
+ node = createnode(key, value);
+ RB_INSERT(envtree, &env->root, node);
+ env->count++;
+}
+
static struct env *
-createenv(const struct rule *rule)
+createenv(const struct rule *rule, const struct passwd *mypw,
+ const struct passwd *targpw)
{
struct env *env;
u_int i;
RB_INIT(&env->root);
env->count = 0;
+ addnode(env, "DOAS_USER", mypw->pw_name);
+
if (rule->options & KEEPENV) {
extern char **environ;
env->count++;
}
}
+ } else {
+ static const char *copyset[] = {
+ "DISPLAY", "TERM",
+ NULL
+ };
+
+ addnode(env, "HOME", targpw->pw_dir);
+ addnode(env, "LOGNAME", targpw->pw_name);
+ addnode(env, "PATH", getenv("PATH"));
+ addnode(env, "SHELL", targpw->pw_shell);
+ addnode(env, "USER", targpw->pw_name);
+
+ fillenv(env, copyset);
}
return env;
}
char **
-prepenv(const struct rule *rule)
+prepenv(const struct rule *rule, const struct passwd *mypw,
+ const struct passwd *targpw)
{
- static const char *safeset[] = {
- "DISPLAY", "HOME", "LOGNAME", "MAIL",
- "PATH", "TERM", "USER", "USERNAME",
- NULL
- };
struct env *env;
- env = createenv(rule);
-
- /* if we started with blank, fill some defaults then apply rules */
- if (!(rule->options & KEEPENV))
- fillenv(env, safeset);
+ env = createenv(rule, mypw, targpw);
if (rule->envlist)
fillenv(env, rule->envlist);