From 18387ab2eb1018d5d1d9c4eff1c3489ba334be30 Mon Sep 17 00:00:00 2001 From: des Date: Thu, 6 Feb 2003 12:40:58 +0000 Subject: Export the PAM environment to the child process instead of the "normal" environment list, which may be unsafe and / or sensitive. Sponsored by: DARPA, NAI Labs --- lib/libpam/modules/pam_exec/pam_exec.8 | 5 ++++- lib/libpam/modules/pam_exec/pam_exec.c | 10 ++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8 index 86c3260..1e3ac2d 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.8 +++ b/lib/libpam/modules/pam_exec/pam_exec.8 @@ -1,6 +1,6 @@ .\" Copyright (c) 2001 Mark R V Murray .\" All rights reserved. -.\" Copyright (c) 2001 Networks Associates Technology, Inc. +.\" Copyright (c) 2001,2003 Networks Associates Technology, Inc. .\" All rights reserved. .\" .\" Portions of this software were developed for the FreeBSD Project by @@ -50,6 +50,9 @@ The exec service module for PAM executes the program designated by its first argument, with its remaining arguments as command-line arguments. +The child's environment is set to the current PAM environment list, +as returned by +.Xr pam_getenvlist 3 . .Sh SEE ALSO .Xr pam.conf 5 , .Xr pam 8 diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c index 993f25b..23fc609 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.c +++ b/lib/libpam/modules/pam_exec/pam_exec.c @@ -52,6 +52,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused, int argc, const char *argv[]) { int childerr, status; + char **env, **envlist; pid_t pid; if (argc < 1) @@ -61,12 +62,17 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused, * XXX For additional credit, divert child's stdin/stdout/stderr * to the conversation function. */ + envlist = pam_getenvlist(pamh); childerr = 0; if ((pid = vfork()) == 0) { - execv(argv[0], argv); + execve(argv[0], argv, envlist); childerr = errno; _exit(1); - } else if (pid == -1) { + } + for (env = envlist; *env != NULL; ++env) + free(*env); + free(envlist); + if (pid == -1) { openpam_log(PAM_LOG_ERROR, "vfork(): %m"); return (PAM_SYSTEM_ERR); } -- cgit v1.1