diff options
author | kientzle <kientzle@FreeBSD.org> | 2004-02-29 22:13:28 +0000 |
---|---|---|
committer | kientzle <kientzle@FreeBSD.org> | 2004-02-29 22:13:28 +0000 |
commit | 48517ca7da7dcb3e5782eed3d7a0b79794e44774 (patch) | |
tree | 709c041daecab45c2b0ff6eadc60f4b9b43367a3 | |
parent | 9d29f488fff50b2f5e4eb49f972fb3d0e3522029 (diff) | |
download | FreeBSD-src-48517ca7da7dcb3e5782eed3d7a0b79794e44774.zip FreeBSD-src-48517ca7da7dcb3e5782eed3d7a0b79794e44774.tar.gz |
Back out the "clean_environment()" function from libutil.
Further contemplation has convinced me that this was
not going to really solve the problem of environment-poisoning
without raising serious administrative headaches. There
must be a better way...
-rw-r--r-- | lib/libutil/Makefile | 8 | ||||
-rw-r--r-- | lib/libutil/clean_environment.3 | 86 | ||||
-rw-r--r-- | lib/libutil/clean_environment.c | 121 |
3 files changed, 4 insertions, 211 deletions
diff --git a/lib/libutil/Makefile b/lib/libutil/Makefile index de6aa63..e13663c 100644 --- a/lib/libutil/Makefile +++ b/lib/libutil/Makefile @@ -6,9 +6,9 @@ SHLIB_MAJOR= 4 SHLIBDIR?= /lib CFLAGS+=-DLIBC_SCCS -I${.CURDIR} -I${.CURDIR}/../libc/gen/ CFLAGS+=-DINET6 -SRCS= _secure_path.c auth.c clean_environment.c fparseln.c login.c \ - login_auth.c login_cap.c login_class.c login_crypt.c login_ok.c \ - login_times.c login_tty.c logout.c logwtmp.c property.c pty.c \ +SRCS= _secure_path.c auth.c fparseln.c login.c login_auth.c \ + login_cap.c login_class.c login_crypt.c login_ok.c login_times.c \ + login_tty.c logout.c logwtmp.c property.c pty.c \ pw_util.c realhostname.c stub.c \ trimdomain.c uucplock.c INCS= libutil.h login_cap.h @@ -16,7 +16,7 @@ INCS= libutil.h login_cap.h MAN+= login.3 login_auth.3 login_tty.3 logout.3 logwtmp.3 pty.3 \ login_cap.3 login_class.3 login_times.3 login_ok.3 \ _secure_path.3 uucplock.3 property.3 auth.3 realhostname.3 \ - realhostname_sa.3 trimdomain.3 fparseln.3 clean_environment.3 + realhostname_sa.3 trimdomain.3 fparseln.3 MAN+= login.conf.5 auth.conf.5 MLINKS+= property.3 properties_read.3 property.3 properties_free.3 MLINKS+= property.3 property_find.3 diff --git a/lib/libutil/clean_environment.3 b/lib/libutil/clean_environment.3 deleted file mode 100644 index b99ebf3..0000000 --- a/lib/libutil/clean_environment.3 +++ /dev/null @@ -1,86 +0,0 @@ -.\" Copyright (c) 2003 Tim Kientzle -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd March 1, 2004 -.Os -.Dt CLEAN_ENVIRONMENT 3 -.Sh NAME -.Nm clean_environment -.Nd sanitize environment variables -.Sh LIBRARY -.Lb libutil -.Sh SYNOPSIS -.In libutil.h -.Ft void -.Fn clean_environment "const char * const *whitelist" "const char * const *extra_whitelist" -.Sh DESCRIPTION -The -.Fn clean_environment -function removes unsafe environment variables from the current -process environment. -It scans the current environment and discards any environment variable -that does not occur in one of the two NULL-terminated lists. -.Pp -If the first argument is -.Dv NULL , -a built-in default whitelist will be used. -Most callers will use -.Dv NULL -for both arguments to obtain the default environment screening. -Callers who need to make minor adjustments to the built-in -whitelist can set the first argument to -.Dv NULL -and use the second argument to, in effect, -add elements to the built-in whitelist. -.Sh EXAMPLES -The first example illustrates the typical usage. -In this case, the default built-in environment screen -will be used, which removes all environment variables -that are not on the built-in whitelist. -.Bd -literal -offset indent - clean_environment(NULL, NULL); -.Ed -.Pp -The following example applies the default environment screens -except that the environment variables -.Cm MYCUSTOM -and -.Cm MYCUSTOM2 -will also be kept and the -.Cm TERM -and -.Cm TERMCAP -environment variables will be removed. -.Bd -literal -offset indent - const char *keep[] = { "MYCUSTOM", "MYCUSTOM2", NULL }; - const char *remove[] = { "TERM", "TERMCAP", NULL }; - - clean_environment(NULL, keep); - for (p = remove; *p != NULL; p++) - unsetenv(*p); -.Ed -.Sh SEE ALSO -.Xr unsetenv 3 diff --git a/lib/libutil/clean_environment.c b/lib/libutil/clean_environment.c deleted file mode 100644 index 068e412..0000000 --- a/lib/libutil/clean_environment.c +++ /dev/null @@ -1,121 +0,0 @@ -/*- - * Copyright (c) 2004 Tim Kientzle - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer - * in this position and unchanged. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include <sys/types.h> -#include <string.h> -#include "libutil.h" - -static int env_var_in_list(const char * const *list, char *var, size_t len); - - -/* - * Default whitelist of "known safe" environment variables. - */ -static const char *default_whitelist[] = { - /* List from SUS "Environment Variables" Appendix */ - "ARFLAGS", "CC", "CDPATH", "CFLAGS", "CHARSET", "COLUMNS", - "DATEMSK", "DEAD", "EDITOR", "ENV", "EXINIT", "FC", "FCEDIT", - "FFLAGS", "GET", "GFLAGS", "HISTFILE", "HISTORY", "HISTSIZE", - "HOME", "IFS", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", - "LC_MESSAGES", "LC_MONETARY", "LC_NUMERIC", "LC_TIME", "LDFLAGS", - "LEX", "LFLAGS", "LINENO", "LINES", "LISTER", "LOGNAME", "LPDEST", - "MAIL", "MAILCHECK", "MAILER", "MAILPATH", "MAILRC", "MAKEFLAGS", - "MAKESHELL", "MANPATH", "MBOX", "MORE", "MSGVERB", "NLSPATH", - "NPROC", "OLDPWD", "OPTARG", "OPTERR", "OPTIND", "PAGER", "PATH", - "PPID", "PRINTER", "PROCLANG", "PROJECTDIR", "PS1", "PS2", "PS3", - "PS4", "PWD", "RANDOM", "SECONDS", "SHELL", "TERM", "TERMCAP", - "TERMINFO", "TMPDIR", "TZ", "USER", "VISUAL", "YACC", "YFLAGS", - - /* Additional Environment Variables */ - "KRB5CCNAME", "LOGIN", "MAILDIR", "SSH_AGENT_PID", "SSH_AUTH_SOCK", - - /* Terminating NULL */ - NULL -}; - -static int -env_var_in_list(const char * const *list, char *var, size_t len) -{ - if (list == NULL) - return (0); - - while (*list != NULL) { - if (strncmp(var, *list, len) == 0 && - len == strlen(*list)) - return (1); - list++; - } - return (0); -} - - -/* - * Scrub the environment by applying a "whitelist" of safe variables - * and a "blacklist" of known dangerous variables. Each environment - * variable is examined and is retained only if it appears in a whitelist - * and does not appear in the blacklist. - * - * If the first argument is NULL, a built-in whitelist will be used. - * The second and third arguments allow clients to adjust the built-in - * whitelist without having to replicate it. - * - */ -void -clean_environment(const char * const *whitelist, - const char * const *extra_whitelist) -{ - extern char **environ; - char *p, **new, **old; - int len; - int safe; - - old = environ; - new = environ; - - if (whitelist == NULL) - whitelist = default_whitelist; - - while (*old != NULL) { - safe = 0; - p = strchr(*old, '='); - if (p != NULL) - len = p - *old; - else - len = strlen(*old); - - if (env_var_in_list(whitelist, *old, len) || - env_var_in_list(extra_whitelist, *old, len)) - *new++ = *old; - - old++; - } - while (*new != NULL) - *new++ = NULL; - -} |