diff options
| author | nectar <nectar@FreeBSD.org> | 2001-02-09 13:21:50 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2001-02-09 13:21:50 +0000 |
| commit | ece0f4657e13b8402bd524fef33d1f6072fc37cc (patch) | |
| tree | 594f1f90295a3db6ab122116b6c3f19cf9be4bc9 /usr.bin/login | |
| parent | cc4427cd1a64dd27f49e303d9b2428737d74943d (diff) | |
| download | FreeBSD-src-ece0f4657e13b8402bd524fef33d1f6072fc37cc.zip FreeBSD-src-ece0f4657e13b8402bd524fef33d1f6072fc37cc.tar.gz | |
Fix login so that it exports environmental variables that are set by PAM
modules (via pam_putenv). The following variables will never be set in
this fashion:
SHELL, HOME, LOGNAME, MAIL, CDPATH, IFS, PATH
any variable starting with `LD_'
Diffstat (limited to 'usr.bin/login')
| -rw-r--r-- | usr.bin/login/login.c | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index c53ba6a..7f7a09b 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -106,6 +106,8 @@ void login_fbtab __P((char *, uid_t, gid_t)); #ifndef NO_PAM static int auth_pam __P((void)); +static int export_pam_environment __P((void)); +static int ok_to_export __P((const char *)); #endif static int auth_traditional __P((void)); extern void login __P((struct utmp *)); @@ -128,6 +130,9 @@ struct passwd *pwd; int failures; char *term, *envinit[1], *hostname, *username, *tty; char full_hostname[MAXHOSTNAMELEN]; +#ifndef NO_PAM +static char **environ_pam; +#endif int main(argc, argv) @@ -548,6 +553,15 @@ main(argc, argv) if (!pflag) environ = envinit; +#ifndef NO_PAM + /* + * Add any environmental variables that the + * PAM modules may have set. + */ + if (environ_pam) + export_pam_environment(); +#endif + /* * We don't need to be root anymore, so * set the user and session context @@ -718,6 +732,7 @@ auth_pam() PAM_SUCCESS) syslog(LOG_ERR, "Couldn't establish credentials: %s", pam_strerror(pamh, e)); + environ_pam = pam_getenvlist(pamh); rval = 0; break; @@ -738,6 +753,49 @@ auth_pam() } return rval; } + +static int +export_pam_environment() +{ + char **pp; + + for (pp = environ_pam; *pp != NULL; pp++) { + if (ok_to_export(*pp)) + (void) putenv(*pp); + free(*pp); + } + return PAM_SUCCESS; +} + +/* + * Sanity checks on PAM environmental variables: + * - Make sure there is an '=' in the string. + * - Make sure the string doesn't run on too long. + * - Do not export certain variables. This list was taken from the + * Solaris pam_putenv(3) man page. + */ +static int +ok_to_export(s) + const char *s; +{ + static const char *noexport[] = { + "SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH", + "IFS", "PATH", NULL + }; + const char **pp; + size_t n; + + if (strlen(s) > 1024 || strchr(s, '=') == NULL) + return 0; + if (strncmp(s, "LD_", 3) == 0) + return 0; + for (pp = noexport; *pp != NULL; pp++) { + n = strlen(*pp); + if (s[n] == '=' && strncmp(s, *pp, n) == 0) + return 0; + } + return 1; +} #endif /* NO_PAM */ static void |
