1
/*
2
 * SPDX-License-Identifier: ISC
3
 *
4
 * Copyright (c) 2000-2005, 2007-2023
5
 *	Todd C. Miller <[email protected]>
6
 *
7
 * Permission to use, copy, modify, and distribute this software for any
8
 * purpose with or without fee is hereby granted, provided that the above
9
 * copyright notice and this permission notice appear in all copies.
10
 *
11
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18
 *
19
 * Sponsored in part by the Defense Advanced Research Projects
20
 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
22
 */
23

24
#include <config.h>
25

26
#include <stdio.h>
27
#include <stdlib.h>
28
#include <string.h>
29
#include <unistd.h>
30
#if defined(HAVE_STDINT_H)
31
# include <stdint.h>
32
#elif defined(HAVE_INTTYPES_H)
33
# include <inttypes.h>
34
#endif
35
#ifdef HAVE_LOGIN_CAP_H
36
# include <login_cap.h>
37
# ifndef LOGIN_SETENV
38
#  define LOGIN_SETENV	0
39
# endif
40
#endif /* HAVE_LOGIN_CAP_H */
41
#include <ctype.h>
42
#include <errno.h>
43
#include <limits.h>
44
#include <pwd.h>
45

46
#include <sudoers.h>
47

48
/*
49
 * Flags used in rebuild_env()
50
 */
51
#undef DID_TERM
52
#define DID_TERM	0x00000001
53
#undef DID_PATH
54
#define DID_PATH	0x00000002
55
#undef DID_HOME
56
#define DID_HOME	0x00000004
57
#undef DID_SHELL
58
#define DID_SHELL	0x00000008
59
#undef DID_LOGNAME
60
#define DID_LOGNAME	0x00000010
61
#undef DID_USER
62
#define DID_USER    	0x00000020
63
#undef DID_LOGIN
64
#define DID_LOGIN   	0x00000040
65
#undef DID_MAIL
66
#define DID_MAIL   	0x00000080
67
#undef DID_MAX
68
#define DID_MAX    	0x0000ffff
69

70
#undef KEPT_TERM
71
#define KEPT_TERM	0x00010000
72
#undef KEPT_PATH
73
#define KEPT_PATH	0x00020000
74
#undef KEPT_HOME
75
#define KEPT_HOME	0x00040000
76
#undef KEPT_SHELL
77
#define KEPT_SHELL	0x00080000
78
#undef KEPT_LOGNAME
79
#define KEPT_LOGNAME	0x00100000
80
#undef KEPT_USER
81
#define KEPT_USER    	0x00200000
82
#undef KEPT_LOGIN
83
#define KEPT_LOGIN	0x00400000
84
#undef KEPT_MAIL
85
#define KEPT_MAIL	0x00800000
86
#undef KEPT_MAX
87
#define KEPT_MAX    	0xffff0000
88

89
/*
90
 * AIX sets the LOGIN environment variable too.
91
 */
92
#ifdef _AIX
93
# define KEPT_USER_VARIABLES (KEPT_LOGIN|KEPT_LOGNAME|KEPT_USER)
94
#else
95
# define KEPT_USER_VARIABLES (KEPT_LOGNAME|KEPT_USER)
96
#endif
97

98
/*
99
 * Functions to open, close and parse an environment file, either
100
 * a system file such as /etc/environment or one specified in sudoers.
101
 */
102
struct sudoers_env_file {
103
    void * (*open)(const char *);
104
    void   (*close)(void *);
105
    char * (*next)(void *, int *);
106
};
107

108
/*
109
 * State for a local environment file.
110
 */
111
struct env_file_local {
112
    FILE *fp;
113
    char *line;
114
    size_t linesize;
115
};
116

117
struct environment {
118
    char **envp;		/* pointer to the new environment */
119
    char **old_envp;		/* pointer the old environment we allocated */
120
    size_t env_size;		/* size of new_environ in char **'s */
121
    size_t env_len;		/* number of slots used, not counting NULL */
122
};
123

124
/*
125
 * Copy of the sudo-managed environment.
126
 */
127
static struct environment env;
128

129
/*
130
 * Default table of "bad" variables to remove from the environment.
131
 * XXX - how to omit TERMCAP if it starts with '/'?
132
 */
133
static const char *initial_badenv_table[] = {
134
    "IFS",
135
    "CDPATH",
136
    "LOCALDOMAIN",
137
    "RES_OPTIONS",
138
    "HOSTALIASES",
139
    "NLSPATH",
140
    "PATH_LOCALE",
141
    "LD_*",
142
    "_RLD*",
143
#ifdef __hpux
144
    "SHLIB_PATH",
145
#endif /* __hpux */
146
#ifdef _AIX
147
    "LDR_*",
148
    "LIBPATH",
149
    "AUTHSTATE",
150
#endif
151
#ifdef __APPLE__
152
    "DYLD_*",
153
#endif
154
#ifdef HAVE_KERB5
155
    "KRB5_CONFIG*",
156
    "KRB5_KTNAME",
157
#endif /* HAVE_KERB5 */
158
#ifdef HAVE_SECURID
159
    "VAR_ACE",
160
    "USR_ACE",
161
    "DLC_ACE",
162
#endif /* HAVE_SECURID */
163
    "TERMINFO",			/* terminfo, exclusive path to terminfo files */
164
    "TERMINFO_DIRS",		/* terminfo, path(s) to terminfo files */
165
    "TERMPATH",			/* termcap, path(s) to termcap files */
166
    "TERMCAP",			/* XXX - only if it starts with '/' */
167
    "ENV",			/* ksh, file to source before script runs */
168
    "BASH_ENV",			/* bash, file to source before script runs */
169
    "PS4",			/* bash, prefix for lines in xtrace mode */
170
    "GLOBIGNORE",		/* bash, globbing patterns to ignore */
171
    "BASHOPTS",			/* bash, initial "shopt -s" options */
172
    "SHELLOPTS",		/* bash, initial "set -o" options */
173
    "JAVA_TOOL_OPTIONS",	/* java, extra command line options */
174
    "PERLIO_DEBUG",		/* perl, debugging output file */
175
    "PERLLIB",			/* perl, search path for modules/includes */
176
    "PERL5LIB",			/* perl 5, search path for modules/includes */
177
    "PERL5OPT",			/* perl 5, extra command line options */
178
    "PERL5DB",			/* perl 5, command used to load debugger */
179
    "FPATH",			/* ksh, search path for functions */
180
    "NULLCMD",			/* zsh, command for null file redirection */
181
    "READNULLCMD",		/* zsh, command for null file redirection */
182
    "ZDOTDIR",			/* zsh, search path for dot files */
183
    "TMPPREFIX",		/* zsh, prefix for temporary files */
184
    "PYTHONHOME",		/* python, module search path */
185
    "PYTHONPATH",		/* python, search path */
186
    "PYTHONINSPECT",		/* python, allow inspection */
187
    "PYTHONUSERBASE",		/* python, per user site-packages directory */
188
    "RUBYLIB",			/* ruby, library load path */
189
    "RUBYOPT",			/* ruby, extra command line options */
190
    "*=()*",			/* bash functions */
191
    NULL
192
};
193

194
/*
195
 * Default table of variables to check for '%' and '/' characters.
196
 */
197
static const char *initial_checkenv_table[] = {
198
    "COLORTERM",
199
    "LANG",
200
    "LANGUAGE",
201
    "LC_*",
202
    "LINGUAS",
203
    "TERM",
204
    "TZ",
205
    NULL
206
};
207

208
/*
209
 * Default table of variables to preserve in the environment.
210
 */
211
static const char *initial_keepenv_table[] = {
212
    "COLORS",
213
    "DISPLAY",
214
    "HOSTNAME",
215
    "KRB5CCNAME",
216
    "LS_COLORS",
217
    "PATH",
218
    "PS1",
219
    "PS2",
220
    "XAUTHORITY",
221
    "XAUTHORIZATION",
222
    "XDG_CURRENT_DESKTOP",
223
    NULL
224
};
225

226
/*
227
 * Free our copy (or copies) of the environment.
228
 * This function is only safe to call after the command has executed.
229
 */
230
void
231
env_free(void)
232
{
233
    sudoers_gc_remove(GC_PTR, env.envp);
234
    free(env.envp);
235
    sudoers_gc_remove(GC_PTR, env.old_envp);
236
    free(env.old_envp);
237
    memset(&env, 0, sizeof(env));
238
}
239

240
/*
241
 * Initialize env based on envp.
242
 */
243
bool
244
env_init(char * const envp[])
245
{
246
    char * const *ep;
247
    size_t len;
248
    debug_decl(env_init, SUDOERS_DEBUG_ENV);
249

250
    if (envp == NULL) {
251
	/* Free the old envp we allocated, if any. */
252
	sudoers_gc_remove(GC_PTR, env.old_envp);
253
	free(env.old_envp);
254

255
	/*
256
	 * Reset to initial state but keep a pointer to what we allocated
257
	 * since it will be passed to execve(2).
258
	 */
259
	env.old_envp = env.envp;
260
	env.envp = NULL;
261
	env.env_size = 0;
262
	env.env_len = 0;
263
    } else {
264
	/* Make private copy of envp. */
265
	for (ep = envp; *ep != NULL; ep++)
266
	    continue;
267
	len = (size_t)(ep - envp);
268

269
	env.env_len = len;
270
	env.env_size = len + 1 + 128;
271
	env.envp = reallocarray(NULL, env.env_size, sizeof(char *));
272
	if (env.envp == NULL) {
273
	    env.env_size = 0;
274
	    env.env_len = 0;
275
	    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
276
	    debug_return_bool(false);
277
	}
278
	sudoers_gc_add(GC_PTR, env.envp);
279
#ifdef ENV_DEBUG
280
	memset(env.envp, 0, env.env_size * sizeof(char *));
281
#endif
282
	memcpy(env.envp, envp, len * sizeof(char *));
283
	env.envp[len] = NULL;
284

285
	/* Free the old envp we allocated, if any. */
286
	sudoers_gc_remove(GC_PTR, env.old_envp);
287
	free(env.old_envp);
288
	env.old_envp = NULL;
289
    }
290

291
    debug_return_bool(true);
292
}
293

294
/*
295
 * Getter for private copy of the environment.
296
 */
297
char **
298
env_get(void)
299
{
300
    return env.envp;
301
}
302

303
/*
304
 * Swap the old and new copies of the environment.
305
 */
306
bool
307
env_swap_old(void)
308
{
309
    char **old_envp;
310

311
    if (env.old_envp == NULL)
312
	return false;
313
    old_envp = env.old_envp;
314
    env.old_envp = env.envp;
315
    env.envp = old_envp;
316
    return true;
317
}
318

319
/*
320
 * Similar to putenv(3) but operates on sudo's private copy of the
321
 * environment (not environ) and it always overwrites.  The dupcheck param
322
 * determines whether we need to verify that the variable is not already set.
323
 * Will only overwrite an existing variable if overwrite is set.
324
 * Does not include warnings or debugging to avoid recursive calls.
325
 */
326
int
327
sudo_putenv_nodebug(char *str, bool dupcheck, bool overwrite)
328
{
329
    char **ep;
330
    const char *equal;
331
    bool found = false;
332

333
    /* Some putenv(3) implementations check for NULL. */
334
    if (str == NULL) {
335
	errno = EINVAL;
336
	return -1;
337
    }
338

339
    /* The string must contain a '=' char but not start with one. */
340
    equal = strchr(str, '=');
341
    if (equal == NULL || equal == str) {
342
	errno = EINVAL;
343
	return -1;
344
    }
345

346
    /* Make sure there is room for the new entry plus a NULL. */
347
    if (env.env_size > 2 && env.env_len > env.env_size - 2) {
348
	char **nenvp;
349
	size_t nsize;
350

351
	if (env.env_size > SIZE_MAX - 128) {
352
	    sudo_warnx_nodebug(U_("internal error, %s overflow"),
353
		"sudo_putenv_nodebug");
354
	    errno = EOVERFLOW;
355
	    return -1;
356
	}
357
	nsize = env.env_size + 128;
358
	if (nsize > SIZE_MAX / sizeof(char *)) {
359
	    sudo_warnx_nodebug(U_("internal error, %s overflow"),
360
		"sudo_putenv_nodebug");
361
	    errno = EOVERFLOW;
362
	    return -1;
363
	}
364
	sudoers_gc_remove(GC_PTR, env.envp);
365
	nenvp = reallocarray(env.envp, nsize, sizeof(char *));
366
	if (nenvp == NULL) {
367
	    sudoers_gc_add(GC_PTR, env.envp);
368
	    return -1;
369
	}
370
	sudoers_gc_add(GC_PTR, nenvp);
371
	env.envp = nenvp;
372
	env.env_size = nsize;
373
#ifdef ENV_DEBUG
374
	memset(env.envp + env.env_len, 0,
375
	    (env.env_size - env.env_len) * sizeof(char *));
376
#endif
377
    }
378

379
#ifdef ENV_DEBUG
380
    if (env.envp[env.env_len] != NULL) {
381
	errno = EINVAL;
382
	return -1;
383
    }
384
#endif
385

386
    if (dupcheck) {
387
	size_t len = (size_t)(equal - str) + 1;
388
	for (ep = env.envp; *ep != NULL; ep++) {
389
	    if (strncmp(str, *ep, len) == 0) {
390
		if (overwrite)
391
		    *ep = str;
392
		found = true;
393
		break;
394
	    }
395
	}
396
	/* Prune out extra instances of the variable we just overwrote. */
397
	if (found && overwrite) {
398
	    while (*++ep != NULL) {
399
		if (strncmp(str, *ep, len) == 0) {
400
		    char **cur = ep;
401
		    while ((*cur = *(cur + 1)) != NULL)
402
			cur++;
403
		    ep--;
404
		}
405
	    }
406
	    env.env_len = (size_t)(ep - env.envp);
407
	}
408
    }
409

410
    if (!found) {
411
	ep = env.envp + env.env_len;
412
	env.env_len++;
413
	*ep++ = str;
414
	*ep = NULL;
415
    }
416
    return 0;
417
}
418

419
/*
420
 * Similar to putenv(3) but operates on sudo's private copy of the
421
 * environment (not environ) and it always overwrites.  The dupcheck param
422
 * determines whether we need to verify that the variable is not already set.
423
 * Will only overwrite an existing variable if overwrite is set.
424
 */
425
static int
426
sudo_putenv(char *str, bool dupcheck, bool overwrite)
427
{
428
    int ret;
429
    debug_decl(sudo_putenv, SUDOERS_DEBUG_ENV);
430

431
    sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_putenv: %s", str);
432

433
    ret = sudo_putenv_nodebug(str, dupcheck, overwrite);
434
    if (ret == -1) {
435
#ifdef ENV_DEBUG
436
	if (env.envp[env.env_len] != NULL) {
437
	    sudo_warnx("%s",
438
		U_("sudo_putenv: corrupted envp, length mismatch"));
439
	}
440
#endif
441
    }
442
    debug_return_int(ret);
443
}
444

445
/*
446
 * Similar to setenv(3) but operates on a private copy of the environment.
447
 * The dupcheck param determines whether we need to verify that the variable
448
 * is not already set.
449
 */
450
static int
451
sudo_setenv2(const char *var, const char *val, bool dupcheck, bool overwrite)
452
{
453
    char *estring;
454
    size_t esize;
455
    int ret = -1;
456
    debug_decl(sudo_setenv2, SUDOERS_DEBUG_ENV);
457

458
    esize = strlen(var) + 1 + strlen(val) + 1;
459
    if ((estring = malloc(esize)) == NULL) {
460
	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
461
	    "unable to allocate memory");
462
	debug_return_int(-1);
463
    }
464

465
    /* Build environment string and insert it. */
466
    if (strlcpy(estring, var, esize) >= esize ||
467
	strlcat(estring, "=", esize) >= esize ||
468
	strlcat(estring, val, esize) >= esize) {
469

470
	sudo_warnx(U_("internal error, %s overflow"), __func__);
471
	errno = EOVERFLOW;
472
    } else {
473
	ret = sudo_putenv(estring, dupcheck, overwrite);
474
    }
475
    if (ret == -1)
476
	free(estring);
477
    else
478
	sudoers_gc_add(GC_PTR, estring);
479
    debug_return_int(ret);
480
}
481

482
/*
483
 * Similar to setenv(3) but operates on a private copy of the environment.
484
 */
485
int
486
sudo_setenv(const char *var, const char *val, int overwrite)
487
{
488
    return sudo_setenv2(var, val, true, (bool)overwrite);
489
}
490

491
/*
492
 * Similar to unsetenv(3) but operates on a private copy of the environment.
493
 * Does not include warnings or debugging to avoid recursive calls.
494
 */
495
int
496
sudo_unsetenv_nodebug(const char *var)
497
{
498
    char **ep = env.envp;
499
    size_t len;
500

501
    if (ep == NULL || var == NULL || *var == '\0' || strchr(var, '=') != NULL) {
502
	errno = EINVAL;
503
	return -1;
504
    }
505

506
    len = strlen(var);
507
    while (*ep != NULL) {
508
	if (strncmp(var, *ep, len) == 0 && (*ep)[len] == '=') {
509
	    /* Found it; shift remainder + NULL over by one. */
510
	    char **cur = ep;
511
	    while ((*cur = *(cur + 1)) != NULL)
512
		cur++;
513
	    env.env_len--;
514
	    /* Keep going, could be multiple instances of the var. */
515
	} else {
516
	    ep++;
517
	}
518
    }
519
    return 0;
520
}
521

522
/*
523
 * Similar to unsetenv(3) but operates on a private copy of the environment.
524
 */
525
int
526
sudo_unsetenv(const char *name)
527
{
528
    int ret;
529
    debug_decl(sudo_unsetenv, SUDOERS_DEBUG_ENV);
530

531
    sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_unsetenv: %s", name);
532

533
    ret = sudo_unsetenv_nodebug(name);
534

535
    debug_return_int(ret);
536
}
537

538
/*
539
 * Similar to getenv(3) but operates on a private copy of the environment.
540
 * Does not include warnings or debugging to avoid recursive calls.
541
 */
542
char *
543
sudo_getenv_nodebug(const char *name)
544
{
545
    char **ep, *val = NULL;
546
    size_t namelen = 0;
547

548
    if (env.env_len != 0) {
549
	/* For BSD compatibility, treat '=' in name like end of string. */
550
	while (name[namelen] != '\0' && name[namelen] != '=')
551
	    namelen++;
552
	for (ep = env.envp; *ep != NULL; ep++) {
553
	    if (strncmp(*ep, name, namelen) == 0 && (*ep)[namelen] == '=') {
554
		val = *ep + namelen + 1;
555
		break;
556
	    }
557
	}
558
    }
559
    return val;
560
}
561

562
/*
563
 * Similar to getenv(3) but operates on a private copy of the environment.
564
 */
565
char *
566
sudo_getenv(const char *name)
567
{
568
    char *val;
569
    debug_decl(sudo_getenv, SUDOERS_DEBUG_ENV);
570

571
    sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_getenv: %s", name);
572

573
    val = sudo_getenv_nodebug(name);
574

575
    debug_return_str(val);
576
}
577

578
/*
579
 * Check for var against patterns in the specified environment list.
580
 * Returns true if the variable was found, else false.
581
 */
582
static bool
583
matches_env_list(const char *var, struct list_members *list, bool *full_match)
584
{
585
    struct list_member *cur;
586
    bool is_logname = false;
587
    debug_decl(matches_env_list, SUDOERS_DEBUG_ENV);
588

589
    switch (*var) {
590
    case 'L':
591
	if (strncmp(var, "LOGNAME=", 8) == 0)
592
	    is_logname = true;
593
#ifdef _AIX
594
	else if (strncmp(var, "LOGIN=", 6) == 0)
595
	    is_logname = true;
596
#endif
597
	break;
598
    case 'U':
599
	if (strncmp(var, "USER=", 5) == 0)
600
	    is_logname = true;
601
	break;
602
    }
603

604
    if (is_logname) {
605
	/*
606
	 * We treat LOGIN, LOGNAME and USER specially.
607
	 * If one is preserved/deleted we want to preserve/delete them all.
608
	 */
609
	SLIST_FOREACH(cur, list, entries) {
610
	    if (matches_env_pattern(cur->value, "LOGNAME", full_match) ||
611
#ifdef _AIX
612
		matches_env_pattern(cur->value, "LOGIN", full_match) ||
613
#endif
614
		matches_env_pattern(cur->value, "USER", full_match))
615
		debug_return_bool(true);
616
	}
617
    } else {
618
	SLIST_FOREACH(cur, list, entries) {
619
	    if (matches_env_pattern(cur->value, var, full_match))
620
		debug_return_bool(true);
621
	}
622
    }
623
    debug_return_bool(false);
624
}
625

626
/*
627
 * Check the env_delete blocklist.
628
 * Returns true if the variable was found, else false.
629
 */
630
static bool
631
matches_env_delete(const char *var)
632
{
633
    bool full_match;	/* unused */
634
    debug_decl(matches_env_delete, SUDOERS_DEBUG_ENV);
635

636
    /* Skip anything listed in env_delete. */
637
    debug_return_bool(matches_env_list(var, &def_env_delete, &full_match));
638
}
639

640
/*
641
 * Verify the TZ environment variable is safe.
642
 * On many systems it is possible to set this to a pathname.
643
 */
644
static bool
645
tz_is_safe(const char *tzval)
646
{
647
    const char *cp;
648
    char lastch;
649
    debug_decl(tz_is_safe, SUDOERS_DEBUG_ENV);
650

651
    /* tzcode treats a value beginning with a ':' as a path. */
652
    if (tzval[0] == ':')
653
	tzval++;
654

655
    /* Reject fully-qualified TZ that doesn't being with the zoneinfo dir. */
656
    if (tzval[0] == '/') {
657
#ifdef _PATH_ZONEINFO
658
	if (strncmp(tzval, _PATH_ZONEINFO, sizeof(_PATH_ZONEINFO) - 1) != 0 ||
659
	    tzval[sizeof(_PATH_ZONEINFO) - 1] != '/')
660
	    debug_return_bool(false);
661
#else
662
	/* Assume the worst. */
663
	debug_return_bool(false);
664
#endif
665
    }
666

667
    /*
668
     * Make sure TZ only contains printable non-space characters
669
     * and does not contain a '..' path element.
670
     */
671
    lastch = '/';
672
    for (cp = tzval; *cp != '\0'; cp++) {
673
	if (isspace((unsigned char)*cp) || !isprint((unsigned char)*cp))
674
	    debug_return_bool(false);
675
	if (lastch == '/' && cp[0] == '.' && cp[1] == '.' &&
676
	    (cp[2] == '/' || cp[2] == '\0'))
677
	    debug_return_bool(false);
678
	lastch = *cp;
679
    }
680

681
    /* Reject extra long TZ values (even if not a path). */
682
    if ((size_t)(cp - tzval) >= PATH_MAX)
683
	debug_return_bool(false);
684

685
    debug_return_bool(true);
686
}
687

688
/*
689
 * Apply the env_check list.
690
 * Returns true if the variable is allowed, false if denied
691
 * or -1 if no match.
692
 */
693
static int
694
matches_env_check(const char *var, bool *full_match)
695
{
696
    int keepit = -1;
697
    debug_decl(matches_env_check, SUDOERS_DEBUG_ENV);
698

699
    /* Skip anything listed in env_check that includes '/' or '%'. */
700
    if (matches_env_list(var, &def_env_check, full_match)) {
701
	if (strncmp(var, "TZ=", 3) == 0) {
702
	    /* Special case for TZ */
703
	    keepit = tz_is_safe(var + 3);
704
	} else {
705
	    const char *val = strchr(var, '=');
706
	    if (val != NULL)
707
		keepit = !strpbrk(val + 1, "/%");
708
	}
709
    }
710
    debug_return_int(keepit);
711
}
712

713
/*
714
 * Check the env_keep list.
715
 * Returns true if the variable is allowed else false.
716
 */
717
static bool
718
matches_env_keep(const struct sudoers_context *ctx, const char *var,
719
    bool *full_match)
720
{
721
    bool keepit = false;
722
    debug_decl(matches_env_keep, SUDOERS_DEBUG_ENV);
723

724
    /* Preserve SHELL variable for "sudo -s". */
725
    if (ISSET(ctx->mode, MODE_SHELL) && strncmp(var, "SHELL=", 6) == 0) {
726
	keepit = true;
727
    } else if (matches_env_list(var, &def_env_keep, full_match)) {
728
	keepit = true;
729
    }
730
    debug_return_bool(keepit);
731
}
732

733
/*
734
 * Look up var in the env_delete and env_check.
735
 * Returns true if we should delete the variable, else false.
736
 */
737
static bool
738
env_should_delete(const char *var)
739
{
740
    int delete_it;
741
    bool full_match = false;
742
    debug_decl(env_should_delete, SUDOERS_DEBUG_ENV);
743

744
    delete_it = matches_env_delete(var);
745
    if (!delete_it)
746
	delete_it = matches_env_check(var, &full_match) == false;
747

748
    sudo_debug_printf(SUDO_DEBUG_INFO, "delete %s: %s",
749
	var, delete_it ? "YES" : "NO");
750
    debug_return_bool(delete_it);
751
}
752

753
/*
754
 * Lookup var in the env_check and env_keep lists.
755
 * Returns true if the variable is allowed else false.
756
 */
757
static bool
758
env_should_keep(const struct sudoers_context *ctx, const char *var)
759
{
760
    int keepit;
761
    bool full_match = false;
762
    const char *cp;
763
    debug_decl(env_should_keep, SUDOERS_DEBUG_ENV);
764

765
    keepit = matches_env_check(var, &full_match);
766
    if (keepit == -1)
767
	keepit = matches_env_keep(ctx, var, &full_match);
768

769
    /* Skip bash functions unless we matched on the value as well as name. */
770
    if (keepit && !full_match) {
771
	if ((cp = strchr(var, '=')) != NULL) {
772
	    if (strncmp(cp, "=() ", 4) == 0)
773
		keepit = false;
774
	}
775
    }
776
    sudo_debug_printf(SUDO_DEBUG_INFO, "keep %s: %s",
777
	var, keepit == true ? "YES" : "NO");
778
    debug_return_bool(keepit == true);
779
}
780

781
#ifdef HAVE_PAM
782
/*
783
 * Merge another environment with our private copy.
784
 * Only overwrite an existing variable if it is not
785
 * being preserved from the user's environment.
786
 * Returns true on success or false on failure.
787
 */
788
bool
789
env_merge(const struct sudoers_context *ctx, char * const envp[])
790
{
791
    char * const *ep;
792
    bool ret = true;
793
    debug_decl(env_merge, SUDOERS_DEBUG_ENV);
794

795
    for (ep = envp; *ep != NULL; ep++) {
796
	/* XXX - avoid checking value here, should only check name */
797
	bool overwrite = def_env_reset ? !env_should_keep(ctx, *ep) : env_should_delete(*ep);
798
	if (sudo_putenv(*ep, true, overwrite) == -1) {
799
	    /* XXX cannot undo on failure */
800
	    ret = false;
801
	    break;
802
	}
803
    }
804
    debug_return_bool(ret);
805
}
806
#endif /* HAVE_PAM */
807

808
static void
809
env_update_didvar(const char *ep, unsigned int *didvar)
810
{
811
    switch (*ep) {
812
	case 'H':
813
	    if (strncmp(ep, "HOME=", 5) == 0)
814
		SET(*didvar, DID_HOME);
815
	    break;
816
	case 'L':
817
#ifdef _AIX
818
	    if (strncmp(ep, "LOGIN=", 8) == 0)
819
		SET(*didvar, DID_LOGIN);
820
#endif
821
	    if (strncmp(ep, "LOGNAME=", 8) == 0)
822
		SET(*didvar, DID_LOGNAME);
823
	    break;
824
	case 'M':
825
	    if (strncmp(ep, "MAIL=", 5) == 0)
826
		SET(*didvar, DID_MAIL);
827
	    break;
828
	case 'P':
829
	    if (strncmp(ep, "PATH=", 5) == 0)
830
		SET(*didvar, DID_PATH);
831
	    break;
832
	case 'S':
833
	    if (strncmp(ep, "SHELL=", 6) == 0)
834
		SET(*didvar, DID_SHELL);
835
	    break;
836
	case 'T':
837
	    if (strncmp(ep, "TERM=", 5) == 0)
838
		SET(*didvar, DID_TERM);
839
	    break;
840
	case 'U':
841
	    if (strncmp(ep, "USER=", 5) == 0)
842
		SET(*didvar, DID_USER);
843
	    break;
844
    }
845
}
846

847
#define CHECK_PUTENV(a, b, c)	do {					       \
848
    if (sudo_putenv((char *)(a), (b), (c)) == -1) {			       \
849
	goto bad;							       \
850
    }									       \
851
} while (0)
852

853
#define CHECK_SETENV2(a, b, c, d)	do {				       \
854
    if (sudo_setenv2((char *)(a), (b), (c), (d)) == -1) {		       \
855
	goto bad;							       \
856
    }									       \
857
} while (0)
858

859
/*
860
 * Build a new environment and either clear potentially dangerous
861
 * variables from the old one or start with a clean slate.
862
 * Also adds sudo-specific variables (SUDO_*).
863
 * Returns true on success or false on failure.
864
 */
865
bool
866
rebuild_env(const struct sudoers_context *ctx)
867
{
868
    char **ep, *cp, *ps1;
869
    char idbuf[STRLEN_MAX_UNSIGNED(uid_t) + 1];
870
    unsigned int didvar;
871
    bool reset_home = false;
872
    int len;
873
    debug_decl(rebuild_env, SUDOERS_DEBUG_ENV);
874

875
    /*
876
     * Either clean out the environment or reset to a safe default.
877
     */
878
    ps1 = NULL;
879
    didvar = 0;
880
    env.env_len = 0;
881
    env.env_size = 128;
882
    sudoers_gc_remove(GC_PTR, env.old_envp);
883
    free(env.old_envp);
884
    env.old_envp = env.envp;
885
    env.envp = reallocarray(NULL, env.env_size, sizeof(char *));
886
    if (env.envp == NULL) {
887
	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
888
	    "unable to allocate memory");
889
	env.env_size = 0;
890
	goto bad;
891
    }
892
    sudoers_gc_add(GC_PTR, env.envp);
893
#ifdef ENV_DEBUG
894
    memset(env.envp, 0, env.env_size * sizeof(char *));
895
#else
896
    env.envp[0] = NULL;
897
#endif
898

899
    /* Reset HOME based on target user if configured to. */
900
    if (ISSET(ctx->mode, MODE_RUN)) {
901
	if (def_always_set_home ||
902
	    ISSET(ctx->mode, MODE_RESET_HOME | MODE_LOGIN_SHELL) || 
903
	    (ISSET(ctx->mode, MODE_SHELL) && def_set_home))
904
	    reset_home = true;
905
    }
906

907
    if (def_env_reset || ISSET(ctx->mode, MODE_LOGIN_SHELL)) {
908
	/*
909
	 * If starting with a fresh environment, initialize it based on
910
	 * /etc/environment or login.conf.  For "sudo -i" we want those
911
	 * variables to override the invoking user's environment, so we
912
	 * defer reading them until later.
913
	 */
914
	if (!ISSET(ctx->mode, MODE_LOGIN_SHELL)) {
915
#ifdef HAVE_LOGIN_CAP_H
916
	    /* Insert login class environment variables. */
917
	    if (ctx->runas.class) {
918
		login_cap_t *lc = login_getclass(ctx->runas.class);
919
		if (lc != NULL) {
920
		    setusercontext(lc, ctx->runas.pw,
921
			ctx->runas.pw->pw_uid, LOGIN_SETPATH|LOGIN_SETENV);
922
		    login_close(lc);
923
		}
924
	    }
925
#endif /* HAVE_LOGIN_CAP_H */
926
#ifdef _PATH_ENVIRONMENT
927
	    /* Insert system-wide environment variables. */
928
	    if (!read_env_file(ctx, _PATH_ENVIRONMENT, true, false))
929
		sudo_warn("%s", _PATH_ENVIRONMENT);
930
#endif
931
	    for (ep = env.envp; *ep; ep++)
932
		env_update_didvar(*ep, &didvar);
933
	}
934

935
	/* Pull in vars we want to keep from the old environment. */
936
	if (env.old_envp != NULL) {
937
	    for (ep = env.old_envp; *ep; ep++) {
938
		bool keepit;
939

940
		/*
941
		 * Look up the variable in the env_check and env_keep lists.
942
		 */
943
		keepit = env_should_keep(ctx, *ep);
944

945
		/*
946
		 * Do SUDO_PS1 -> PS1 conversion.
947
		 * This must happen *after* env_should_keep() is called.
948
		 */
949
		if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
950
		    ps1 = *ep + 5;
951

952
		if (keepit) {
953
		    /* Preserve variable. */
954
		    CHECK_PUTENV(*ep, true, false);
955
		    env_update_didvar(*ep, &didvar);
956
		}
957
	    }
958
	}
959
	didvar |= didvar << 16;		/* convert DID_* to KEPT_* */
960

961
	/*
962
	 * Add in defaults.  In -i mode these come from the runas user,
963
	 * otherwise they may be from the user's environment (depends
964
	 * on sudoers options).
965
	 */
966
	if (ISSET(ctx->mode, MODE_LOGIN_SHELL)) {
967
	    CHECK_SETENV2("SHELL", ctx->runas.pw->pw_shell,
968
		ISSET(didvar, DID_SHELL), true);
969
	    SET(didvar, DID_SHELL);
970
#ifdef _AIX
971
	    CHECK_SETENV2("LOGIN", ctx->runas.pw->pw_name,
972
		ISSET(didvar, DID_LOGIN), true);
973
#endif
974
	    CHECK_SETENV2("LOGNAME", ctx->runas.pw->pw_name,
975
		ISSET(didvar, DID_LOGNAME), true);
976
	    CHECK_SETENV2("USER", ctx->runas.pw->pw_name,
977
		ISSET(didvar, DID_USER), true);
978
	} else {
979
	    /* We will set LOGNAME later in the def_set_logname case. */
980
	    if (!def_set_logname) {
981
#ifdef _AIX
982
		if (!ISSET(didvar, DID_LOGIN))
983
		    CHECK_SETENV2("LOGIN", ctx->user.name, false, true);
984
#endif
985
		if (!ISSET(didvar, DID_LOGNAME))
986
		    CHECK_SETENV2("LOGNAME", ctx->user.name, false, true);
987
		if (!ISSET(didvar, DID_USER))
988
		    CHECK_SETENV2("USER", ctx->user.name, false, true);
989
	    }
990
	}
991

992
	/* If we didn't keep HOME, reset it based on target user. */
993
	if (!ISSET(didvar, KEPT_HOME))
994
	    reset_home = true;
995

996
	/*
997
	 * Set MAIL to target user in -i mode or if MAIL is not preserved
998
	 * from user's environment.
999
	 */
1000
	if (ISSET(ctx->mode, MODE_LOGIN_SHELL) || !ISSET(didvar, KEPT_MAIL)) {
1001
	    if (_PATH_MAILDIR[sizeof(_PATH_MAILDIR) - 2] == '/') {
1002
		len = asprintf(&cp, "MAIL=%s%s", _PATH_MAILDIR,
1003
		    ctx->runas.pw->pw_name);
1004
	    } else {
1005
		len = asprintf(&cp, "MAIL=%s/%s", _PATH_MAILDIR,
1006
		    ctx->runas.pw->pw_name);
1007
	    }
1008
	    if (len == -1)
1009
		    goto bad;
1010
	    if (sudo_putenv(cp, ISSET(didvar, DID_MAIL), true) == -1) {
1011
		free(cp);
1012
		goto bad;
1013
	    }
1014
	    sudoers_gc_add(GC_PTR, cp);
1015
	}
1016
    } else {
1017
	/*
1018
	 * Copy environ entries as long as they don't match env_delete or
1019
	 * env_check.
1020
	 */
1021
	if (env.old_envp != NULL) {
1022
	    for (ep = env.old_envp; *ep; ep++) {
1023
		/* Add variable unless it matches a blocklist. */
1024
		if (!env_should_delete(*ep)) {
1025
		    if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
1026
			ps1 = *ep + 5;
1027
		    else if (strncmp(*ep, "SHELL=", 6) == 0)
1028
			SET(didvar, DID_SHELL);
1029
		    else if (strncmp(*ep, "PATH=", 5) == 0)
1030
			SET(didvar, DID_PATH);
1031
		    else if (strncmp(*ep, "TERM=", 5) == 0)
1032
			SET(didvar, DID_TERM);
1033
		    CHECK_PUTENV(*ep, true, false);
1034
		}
1035
	    }
1036
	}
1037
    }
1038
    /* Replace the PATH envariable with a secure one? */
1039
    if (def_secure_path && !user_is_exempt(ctx)) {
1040
	CHECK_SETENV2("PATH", def_secure_path, true, true);
1041
	SET(didvar, DID_PATH);
1042
    }
1043

1044
    /*
1045
     * Set LOGIN, LOGNAME, and USER to target if "set_logname" is not
1046
     * disabled.  We skip this if we are running a login shell (because
1047
     * they have already been set).
1048
     */
1049
    if (def_set_logname && !ISSET(ctx->mode, MODE_LOGIN_SHELL)) {
1050
	if ((didvar & KEPT_USER_VARIABLES) == 0) {
1051
	    /* Nothing preserved, set them all. */
1052
#ifdef _AIX
1053
	    CHECK_SETENV2("LOGIN", ctx->runas.pw->pw_name, true, true);
1054
#endif
1055
	    CHECK_SETENV2("LOGNAME", ctx->runas.pw->pw_name, true, true);
1056
	    CHECK_SETENV2("USER", ctx->runas.pw->pw_name, true, true);
1057
	} else if ((didvar & KEPT_USER_VARIABLES) != KEPT_USER_VARIABLES) {
1058
	    /*
1059
	     * Preserved some of LOGIN, LOGNAME, USER but not all.
1060
	     * Make the unset ones match so we don't end up with some
1061
	     * set to the invoking user and others set to the runas user.
1062
	     */
1063
	    if (ISSET(didvar, KEPT_LOGNAME))
1064
		cp = sudo_getenv("LOGNAME");
1065
#ifdef _AIX
1066
	    else if (ISSET(didvar, KEPT_LOGIN))
1067
		cp = sudo_getenv("LOGIN");
1068
#endif
1069
	    else if (ISSET(didvar, KEPT_USER))
1070
		cp = sudo_getenv("USER");
1071
	    else
1072
		cp = NULL;
1073
	    if (cp != NULL) {
1074
#ifdef _AIX
1075
		if (!ISSET(didvar, KEPT_LOGIN))
1076
		    CHECK_SETENV2("LOGIN", cp, true, true);
1077
#endif
1078
		if (!ISSET(didvar, KEPT_LOGNAME))
1079
		    CHECK_SETENV2("LOGNAME", cp, true, true);
1080
		if (!ISSET(didvar, KEPT_USER))
1081
		    CHECK_SETENV2("USER", cp, true, true);
1082
	    }
1083
	}
1084
    }
1085

1086
    /* Set $HOME to target user if not preserving user's value. */
1087
    if (reset_home)
1088
	CHECK_SETENV2("HOME", ctx->runas.pw->pw_dir, true, true);
1089

1090
    /* Provide default values for $SHELL, $TERM and $PATH if not set. */
1091
    if (!ISSET(didvar, DID_SHELL))
1092
	CHECK_SETENV2("SHELL", ctx->runas.pw->pw_shell, false, false);
1093
    if (!ISSET(didvar, DID_TERM))
1094
	CHECK_PUTENV("TERM=unknown", false, false);
1095
    if (!ISSET(didvar, DID_PATH))
1096
	CHECK_SETENV2("PATH", _PATH_STDPATH, false, true);
1097

1098
    /* Set PS1 if SUDO_PS1 is set. */
1099
    if (ps1 != NULL)
1100
	CHECK_PUTENV(ps1, true, true);
1101

1102
    /* Add the SUDO_COMMAND envariable (cmnd + args). */
1103
    if (ctx->user.cmnd_args) {
1104
	/*
1105
	 * We limit ctx->user.cmnd_args to 4096 bytes to avoid an execve(2)
1106
	 * failure for very long argument vectors.  The command's environment
1107
	 * also counts against the ARG_MAX limit.
1108
	 */
1109
	len = asprintf(&cp, "SUDO_COMMAND=%s %.*s", ctx->user.cmnd, 4096,
1110
	    ctx->user.cmnd_args);
1111
	if (len == -1)
1112
	    goto bad;
1113
	if (sudo_putenv(cp, true, true) == -1) {
1114
	    free(cp);
1115
	    goto bad;
1116
	}
1117
	sudoers_gc_add(GC_PTR, cp);
1118
    } else {
1119
	CHECK_SETENV2("SUDO_COMMAND", ctx->user.cmnd, true, true);
1120
    }
1121

1122
    /* Add the SUDO_{USER,UID,GID,HOME,TTY} environment variables. */
1123
    CHECK_SETENV2("SUDO_USER", ctx->user.name, true, true);
1124
    (void)snprintf(idbuf, sizeof(idbuf), "%u", (unsigned int) ctx->user.uid);
1125
    CHECK_SETENV2("SUDO_UID", idbuf, true, true);
1126
    (void)snprintf(idbuf, sizeof(idbuf), "%u", (unsigned int) ctx->user.gid);
1127
    CHECK_SETENV2("SUDO_GID", idbuf, true, true);
1128
    CHECK_SETENV2("SUDO_HOME", ctx->user.pw->pw_dir, true, true);
1129
    if (ctx->user.ttypath != NULL)
1130
	CHECK_SETENV2("SUDO_TTY", ctx->user.ttypath, true, true);
1131

1132
    debug_return_bool(true);
1133

1134
bad:
1135
    sudo_warn("%s", U_("unable to rebuild the environment"));
1136
    debug_return_bool(false);
1137
}
1138

1139
/*
1140
 * Insert all environment variables in envp into the private copy
1141
 * of the environment.
1142
 * Returns true on success or false on failure.
1143
 */
1144
bool
1145
insert_env_vars(char * const envp[])
1146
{
1147
    char * const *ep;
1148
    bool ret = true;
1149
    debug_decl(insert_env_vars, SUDOERS_DEBUG_ENV);
1150

1151
    /* Add user-specified environment variables. */
1152
    if (envp != NULL) {
1153
	for (ep = envp; *ep != NULL; ep++) {
1154
	    /* XXX - no undo on failure */
1155
	    if (sudo_putenv(*ep, true, true) == -1) {
1156
		ret = false;
1157
		break;
1158
	    }
1159
	}
1160
    }
1161
    debug_return_bool(ret);
1162
}
1163

1164
/*
1165
 * Validate the list of environment variables passed in on the command
1166
 * line against env_delete, env_check, and env_keep.
1167
 * Calls log_warning() if any specified variables are not allowed.
1168
 * Returns true if allowed, else false.
1169
 */
1170
bool
1171
validate_env_vars(const struct sudoers_context *ctx, char * const env_vars[])
1172
{
1173
    char * const *ep;
1174
    char errbuf[4096];
1175
    char *errpos = errbuf;
1176
    bool okvar, ret = true;
1177
    debug_decl(validate_env_vars, SUDOERS_DEBUG_ENV);
1178

1179
    if (env_vars == NULL)
1180
	debug_return_bool(true);	/* nothing to do */
1181

1182
    /* Add user-specified environment variables. */
1183
    for (ep = env_vars; *ep != NULL; ep++) {
1184
	char *eq = strchr(*ep, '=');
1185
	if (eq == NULL || eq == *ep) {
1186
	    /* Must be in the form var=val. */
1187
	    okvar = false;
1188
	} else if (def_secure_path && !user_is_exempt(ctx) &&
1189
	    strncmp(*ep, "PATH=", 5) == 0) {
1190
	    okvar = false;
1191
	} else if (def_env_reset) {
1192
	    okvar = env_should_keep(ctx, *ep);
1193
	} else {
1194
	    okvar = !env_should_delete(*ep);
1195
	}
1196
	if (okvar == false) {
1197
	    /* Not allowed, append to error buffer if space remains. */
1198
	    if (errpos < &errbuf[sizeof(errbuf)]) {
1199
		const size_t varlen = strcspn(*ep, "=");
1200
		const size_t errsize = sizeof(errbuf) - (size_t)(errpos - errbuf);
1201
		int len = snprintf(errpos, errsize, "%s%.*s",
1202
		    errpos != errbuf ? ", " : "", (int)varlen, *ep);
1203
		if (len >= ssizeof(errbuf) - (errpos - errbuf)) {
1204
		    memcpy(&errbuf[sizeof(errbuf) - 4], "...", 4);
1205
		    errpos = &errbuf[sizeof(errbuf)];
1206
		} else {
1207
		    errpos += len;
1208
		}
1209
	    }
1210
	}
1211
    }
1212
    if (errpos != errbuf) {
1213
	/* XXX - audit? */
1214
	log_warningx(ctx, 0,
1215
	    N_("sorry, you are not allowed to set the following environment variables: %s"), errbuf);
1216
	ret = false;
1217
    }
1218
    debug_return_bool(ret);
1219
}
1220

1221
static void *
1222
env_file_open_local(const char *path)
1223
{
1224
    struct env_file_local *efl;
1225
    debug_decl(env_file_open_local, SUDOERS_DEBUG_ENV);
1226

1227
    efl = calloc(1, sizeof(*efl));
1228
    if (efl != NULL) {
1229
	if ((efl->fp = fopen(path, "r")) == NULL) {
1230
	    if (errno != ENOENT) {
1231
		free(efl);
1232
		efl = NULL;
1233
	    }
1234
	}
1235
    }
1236
    debug_return_ptr(efl);
1237
}
1238

1239
static void
1240
env_file_close_local(void *cookie)
1241
{
1242
    struct env_file_local *efl = cookie;
1243
    debug_decl(env_file_close_local, SUDOERS_DEBUG_ENV);
1244

1245
    if (efl != NULL) {
1246
	if (efl->fp != NULL)
1247
	    fclose(efl->fp);
1248
	free(efl->line);
1249
	free(efl);
1250
    }
1251
    debug_return;
1252
}
1253

1254
/*
1255
 * Parse /etc/environment lines ala AIX and Linux.
1256
 * Lines may be in either of three formats:
1257
 *  NAME=VALUE
1258
 *  NAME="VALUE"
1259
 *  NAME='VALUE'
1260
 * with an optional "export" prefix so the shell can source the file.
1261
 * Invalid lines, blank lines, or lines consisting solely of a comment
1262
 * character are skipped.
1263
 */
1264
static char *
1265
env_file_next_local(void *cookie, int *errnum)
1266
{
1267
    struct env_file_local *efl = cookie;
1268
    char *var, *val, *ret = NULL;
1269
    size_t var_len, val_len;
1270
    debug_decl(env_file_next_local, SUDOERS_DEBUG_ENV);
1271

1272
    *errnum = 0;
1273
    if (efl->fp == NULL)
1274
	debug_return_ptr(NULL);
1275

1276
    for (;;) {
1277
	if (sudo_parseln(&efl->line, &efl->linesize, NULL, efl->fp, PARSELN_CONT_IGN) == -1) {
1278
	    if (!feof(efl->fp))
1279
		*errnum = errno;
1280
	    break;
1281
	}
1282

1283
	/* Skip blank or comment lines */
1284
	if (*(var = efl->line) == '\0')
1285
	    continue;
1286

1287
	/* Skip optional "export " */
1288
	if (strncmp(var, "export", 6) == 0 && isspace((unsigned char) var[6])) {
1289
	    var += 7;
1290
	    while (isspace((unsigned char) *var)) {
1291
		var++;
1292
	    }
1293
	}
1294

1295
	/* Must be of the form name=["']value['"] */
1296
	for (val = var; *val != '\0' && *val != '='; val++)
1297
	    continue;
1298
	if (var == val || *val != '=')
1299
	    continue;
1300
	var_len = (size_t)(val - var);
1301
	val_len = strlen(++val);
1302

1303
	/* Strip leading and trailing single/double quotes */
1304
	if ((val[0] == '\'' || val[0] == '\"') && val_len > 1 && val[0] == val[val_len - 1]) {
1305
	    val[val_len - 1] = '\0';
1306
	    val++;
1307
	    val_len -= 2;
1308
	}
1309

1310
	if ((ret = malloc(var_len + 1 + val_len + 1)) == NULL) {
1311
	    *errnum = errno;
1312
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1313
		"unable to allocate memory");
1314
	} else {
1315
	    memcpy(ret, var, var_len + 1); /* includes '=' */
1316
	    memcpy(ret + var_len + 1, val, val_len + 1); /* includes NUL */
1317
	    sudoers_gc_add(GC_PTR, ret);
1318
	}
1319
	break;
1320
    }
1321
    debug_return_str(ret);
1322
}
1323

1324
static struct sudoers_env_file env_file_sudoers = {
1325
    env_file_open_local,
1326
    env_file_close_local,
1327
    env_file_next_local
1328
};
1329

1330
static struct sudoers_env_file env_file_system = {
1331
    env_file_open_local,
1332
    env_file_close_local,
1333
    env_file_next_local
1334
};
1335

1336
void
1337
register_env_file(void * (*ef_open)(const char *), void (*ef_close)(void *),
1338
    char * (*ef_next)(void *, int *), bool sys)
1339
{
1340
    struct sudoers_env_file *ef = sys ? &env_file_system : &env_file_sudoers;
1341

1342
    ef->open = ef_open;
1343
    ef->close = ef_close;
1344
    ef->next = ef_next;
1345
}
1346

1347
bool
1348
read_env_file(const struct sudoers_context *ctx, const char *path,
1349
    bool overwrite, bool restricted)
1350
{
1351
    struct sudoers_env_file *ef;
1352
    bool ret = true;
1353
    char *envstr;
1354
    void *cookie;
1355
    int errnum;
1356
    debug_decl(read_env_file, SUDOERS_DEBUG_ENV);
1357

1358
    /*
1359
     * The environment file may be handled differently depending on
1360
     * whether it is specified in sudoers or the system.
1361
     */
1362
    if (path == def_env_file || path == def_restricted_env_file)
1363
	ef = &env_file_sudoers;
1364
    else
1365
	ef = &env_file_system;
1366

1367
    cookie = ef->open(path);
1368
    if (cookie == NULL)
1369
	debug_return_bool(false);
1370

1371
    for (;;) {
1372
	/* Keep reading until EOF or error. */
1373
	if ((envstr = ef->next(cookie, &errnum)) == NULL) {
1374
	    if (errnum != 0)
1375
		ret = false;
1376
	    break;
1377
	}
1378

1379
	/*
1380
	 * If the env file is restricted, apply env_check and env_keep
1381
	 * when env_reset is set or env_delete when it is not.
1382
	 */
1383
	if (restricted) {
1384
	    if (def_env_reset ? !env_should_keep(ctx, envstr) : env_should_delete(envstr)) {
1385
		free(envstr);
1386
		continue;
1387
	    }
1388
	}
1389
	if (sudo_putenv(envstr, true, overwrite) == -1) {
1390
	    /* XXX - no undo on failure */
1391
	    ret = false;
1392
	    break;
1393
	}
1394
    }
1395
    ef->close(cookie);
1396

1397
    debug_return_bool(ret);
1398
}
1399

1400
bool
1401
init_envtables(void)
1402
{
1403
    struct list_member *cur;
1404
    const char **p;
1405
    debug_decl(init_envtables, SUDOERS_DEBUG_ENV);
1406

1407
    /* Fill in the "env_delete" list. */
1408
    for (p = initial_badenv_table; *p; p++) {
1409
	cur = calloc(1, sizeof(struct list_member));
1410
	if (cur == NULL || (cur->value = strdup(*p)) == NULL) {
1411
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1412
		"unable to allocate memory");
1413
	    free(cur);
1414
	    debug_return_bool(false);
1415
	}
1416
	SLIST_INSERT_HEAD(&def_env_delete, cur, entries);
1417
    }
1418

1419
    /* Fill in the "env_check" list. */
1420
    for (p = initial_checkenv_table; *p; p++) {
1421
	cur = calloc(1, sizeof(struct list_member));
1422
	if (cur == NULL || (cur->value = strdup(*p)) == NULL) {
1423
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1424
		"unable to allocate memory");
1425
	    free(cur);
1426
	    debug_return_bool(false);
1427
	}
1428
	SLIST_INSERT_HEAD(&def_env_check, cur, entries);
1429
    }
1430

1431
    /* Fill in the "env_keep" list. */
1432
    for (p = initial_keepenv_table; *p; p++) {
1433
	cur = calloc(1, sizeof(struct list_member));
1434
	if (cur == NULL || (cur->value = strdup(*p)) == NULL) {
1435
	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
1436
		"unable to allocate memory");
1437
	    free(cur);
1438
	    debug_return_bool(false);
1439
	}
1440
	SLIST_INSERT_HEAD(&def_env_keep, cur, entries);
1441
    }
1442
    debug_return_bool(true);
1443
}
1444

1445