libc: Use secure_getenv(3) where appropriate

No functional change intended. Reviewed by: mjg, imp, kib Differential Revision: https://reviews.freebsd.org/D39278
2023-03-27 08:55:01 -04:00 · 2023-03-27 08:55:01 -04:00 · 68ca8363c7
commit 68ca8363c7
parent ad2f2ee015
16 changed files with 25 additions and 43 deletions
--- a/lib/libc/db/btree/bt_open.c
+++ b/lib/libc/db/btree/bt_open.c
@ -391,11 +391,10 @@ tmp(void)
 {
 	sigset_t set, oset;
 	int fd, len;
-	char *envtmp = NULL;
+	char *envtmp;
 	char path[MAXPATHLEN];
-	if (issetugid() == 0)
+	envtmp = secure_getenv("TMPDIR");
 		envtmp = getenv("TMPDIR");
 	len = snprintf(path,
 	    sizeof(path), "%s/bt.XXXXXXXXXX", envtmp ? envtmp : "/tmp");
 	if (len < 0 || len >= (int)sizeof(path)) {
--- a/lib/libc/db/hash/hash_page.c
+++ b/lib/libc/db/hash/hash_page.c
@ -855,11 +855,10 @@ open_temp(HTAB *hashp)
 {
 	sigset_t set, oset;
 	int len;
-	char *envtmp = NULL;
+	char *envtmp;
 	char path[MAXPATHLEN];
-	if (issetugid() == 0)
+	envtmp = secure_getenv("TMPDIR");
 		envtmp = getenv("TMPDIR");
 	len = snprintf(path,
 	    sizeof(path), "%s/_hash.XXXXXX", envtmp ? envtmp : "/tmp");
 	if (len < 0 || len >= (int)sizeof(path)) {
--- a/lib/libc/gen/fstab.c
+++ b/lib/libc/gen/fstab.c
@ -259,12 +259,8 @@ setfsent(void)
 		LineNo = 0;
 		return (1);
 	}
-	if (fsp_set == 0) {
+	if (fsp_set == 0)
-		if (issetugid())
+		setfstab(secure_getenv("PATH_FSTAB"));
 			setfstab(NULL);
 		else
 			setfstab(getenv("PATH_FSTAB"));
 	}
 	if ((_fs_fp = fopen(path_fstab, "re")) != NULL) {
 		LineNo = 0;
 		return (1);
--- a/lib/libc/gen/glob-compat11.c
+++ b/lib/libc/gen/glob-compat11.c
@ -422,8 +422,7 @@ globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob11_t *pglob)
 		 * we're not running setuid or setgid) and then trying
 		 * the password file
 		 */
-		if (issetugid() != 0 ||
+		if ((h = secure_getenv("HOME")) == NULL) {
 		    (h = getenv("HOME")) == NULL) {
 			if (((h = getlogin()) != NULL &&
 			     (pwd = getpwnam(h)) != NULL) ||
 			    (pwd = getpwuid(getuid())) != NULL)
--- a/lib/libc/gen/glob.c
+++ b/lib/libc/gen/glob.c
@ -453,8 +453,7 @@ globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
 		 * we're not running setuid or setgid) and then trying
 		 * the password file
 		 */
-		if (issetugid() != 0 ||
+		if ((h = secure_getenv("HOME")) == NULL) {
 		    (h = getenv("HOME")) == NULL) {
 			if (((h = getlogin()) != NULL &&
 			     (pwd = getpwnam(h)) != NULL) ||
 			    (pwd = getpwuid(getuid())) != NULL)
--- a/lib/libc/iconv/citrus_iconv.c
+++ b/lib/libc/iconv/citrus_iconv.c
@ -81,8 +81,9 @@ init_cache(void)
 		_CITRUS_HASH_INIT(&shared_pool, CI_HASH_SIZE);
 		TAILQ_INIT(&shared_unused);
 		shared_max_reuse = -1;
-		if (!issetugid() && getenv(CI_ENV_MAX_REUSE))
+		if (secure_getenv(CI_ENV_MAX_REUSE) != NULL)
-			shared_max_reuse = atoi(getenv(CI_ENV_MAX_REUSE));
+			shared_max_reuse =
 			    atoi(secure_getenv(CI_ENV_MAX_REUSE));
 		if (shared_max_reuse < 0)
 			shared_max_reuse = CI_INITIAL_MAX_REUSE;
 		isinit = true;
--- a/lib/libc/iconv/citrus_module.c
+++ b/lib/libc/iconv/citrus_module.c
@ -282,8 +282,8 @@ _citrus_load_module(_citrus_module_t *rhandle, const char *encname)
 	int maj, min;
 	if (_pathI18nModule == NULL) {
-		p = getenv("PATH_I18NMODULE");
+		p = secure_getenv("PATH_I18NMODULE");
-		if (p != NULL && !issetugid()) {
+		if (p != NULL) {
 			_pathI18nModule = strdup(p);
 			if (_pathI18nModule == NULL)
 				return (ENOMEM);
--- a/lib/libc/locale/setlocale.c
+++ b/lib/libc/locale/setlocale.c
@ -312,9 +312,9 @@ int
 __detect_path_locale(void)
 {
 	if (_PathLocale == NULL) {
-		char *p = getenv("PATH_LOCALE");
+		char *p = secure_getenv("PATH_LOCALE");
-		if (p != NULL && !issetugid()) {
+		if (p != NULL) {
 			if (strlen(p) + 1/*"/"*/ + ENCODING_LEN +
 			    1/*"/"*/ + CATEGORY_LEN >= PATH_MAX)
 				return (ENAMETOOLONG);
--- a/lib/libc/net/hesiod.c
+++ b/lib/libc/net/hesiod.c
@ -92,10 +92,7 @@ hesiod_init(context)
 	ctx = malloc(sizeof(struct hesiod_p));
 	if (ctx) {
 		*context = ctx;
-		if (!issetugid())
+		configname = secure_getenv("HESIOD_CONFIG");
 			configname = getenv("HESIOD_CONFIG");
 		else
 			configname = NULL;
 		if (!configname)
 			configname = _PATH_HESIOD_CONF;
 		if (read_config_file(ctx, configname) >= 0) {
@ -103,10 +100,7 @@ hesiod_init(context)
 			 * The default rhs can be overridden by an
 			 * environment variable.
 			 */
-			if (!issetugid())
+			p = secure_getenv("HES_DOMAIN");
 				p = getenv("HES_DOMAIN");
 			else
 				p = NULL;
 			if (p) {
 				if (ctx->rhs)
 					free(ctx->rhs);
--- a/lib/libc/net/rcmd.c
+++ b/lib/libc/net/rcmd.c
@ -97,7 +97,7 @@ rcmd_af(char **ahost, int rport, const char *locuser, const char *remuser,
 	static char canonnamebuf[MAXDNAME];	/* is it proper here? */
 	/* call rcmdsh() with specified remote shell if appropriate. */
-	if (!issetugid() && (p = getenv("RSH"))) {
+	if ((p = secure_getenv("RSH")) != NULL) {
 		struct servent *sp = getservbyname("shell", "tcp");
 		if (sp && sp->s_port == rport)
--- a/lib/libc/nls/msgcat.c
+++ b/lib/libc/nls/msgcat.c
@ -196,7 +196,7 @@ __catopen_l(const char *name, int type, locale_t locale)
 		pcode = cptr;
 	}
-	if ((nlspath = getenv("NLSPATH")) == NULL || issetugid())
+	if ((nlspath = secure_getenv("NLSPATH")) == NULL)
 		nlspath = _DEFAULT_NLS_PATH;
 	if ((base = cptr = strdup(nlspath)) == NULL) {
--- a/lib/libc/posix1e/mac.c
+++ b/lib/libc/posix1e/mac.c
@ -177,9 +177,8 @@ mac_init_internal(int ignore_errors)
 	LIST_INIT(&label_default_head);
-	if (!issetugid() && getenv("MAC_CONFFILE") != NULL)
+	filename = secure_getenv("MAC_CONFFILE");
-		filename = getenv("MAC_CONFFILE");
+	if (filename == NULL)
 	else
 		filename = MAC_CONFFILE;
 	file = fopen(filename, "re");
 	if (file == NULL)
--- a/lib/libc/resolv/res_init.c
+++ b/lib/libc/resolv/res_init.c
@ -277,7 +277,7 @@ __res_vinit(res_state statp, int preinit) {
 #endif	/* SOLARIS2 */
 	/* Allow user to override the local domain definition */
-	if (issetugid() == 0 && (cp = getenv("LOCALDOMAIN")) != NULL) {
+	if ((cp = secure_getenv("LOCALDOMAIN")) != NULL) {
 		(void)strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
 		statp->defdname[sizeof(statp->defdname) - 1] = '\0';
 		haveenv++;
--- a/lib/libc/resolv/res_query.c
+++ b/lib/libc/resolv/res_query.c
@ -457,9 +457,7 @@ res_hostalias(const res_state statp, const char *name, char *dst, size_t siz) {
 	if (statp->options & RES_NOALIASES)
 		return (NULL);
-	if (issetugid())
+	file = secure_getenv("HOSTALIASES");
 		return (NULL);
 	file = getenv("HOSTALIASES");
 	if (file == NULL || (fp = fopen(file, "re")) == NULL)
 		return (NULL);
 	setbuf(fp, NULL);
--- a/lib/libc/stdio/tempnam.c
+++ b/lib/libc/stdio/tempnam.c
@ -60,7 +60,7 @@ tempnam(const char *dir, const char *pfx)
 	if (!pfx)
 		pfx = "tmp.";
-	if (issetugid() == 0 && (f = getenv("TMPDIR"))) {
+	if ((f = secure_getenv("TMPDIR")) != NULL) {
 		(void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXX", f,
 		    *(f + strlen(f) - 1) == '/'? "": "/", pfx);
 		if ((f = _mktemp(name)))
--- a/lib/libc/stdio/tmpfile.c
+++ b/lib/libc/stdio/tmpfile.c
@ -60,9 +60,7 @@ tmpfile(void)
 	char *buf;
 	const char *tmpdir;
-	tmpdir = NULL;
+	tmpdir = secure_getenv("TMPDIR");
 	if (issetugid() == 0)
 		tmpdir = getenv("TMPDIR");
 	if (tmpdir == NULL)
 		tmpdir = _PATH_TMP;