Back out the "clean_environment()" function from libutil.
Further contemplation has convinced me that this was not going to really solve the problem of environment-poisoning without raising serious administrative headaches. There must be a better way...
This commit is contained in:
Tim Kientzle
parent
c92dfc231b
commit
09951e89e9
@ -6,9 +6,9 @@ SHLIB_MAJOR= 4
|
||||
SHLIBDIR?= /lib
|
||||
CFLAGS+=-DLIBC_SCCS -I${.CURDIR} -I${.CURDIR}/../libc/gen/
|
||||
CFLAGS+=-DINET6
|
||||
SRCS= _secure_path.c auth.c clean_environment.c fparseln.c login.c \
|
||||
login_auth.c login_cap.c login_class.c login_crypt.c login_ok.c \
|
||||
login_times.c login_tty.c logout.c logwtmp.c property.c pty.c \
|
||||
SRCS= _secure_path.c auth.c fparseln.c login.c login_auth.c \
|
||||
login_cap.c login_class.c login_crypt.c login_ok.c login_times.c \
|
||||
login_tty.c logout.c logwtmp.c property.c pty.c \
|
||||
pw_util.c realhostname.c stub.c \
|
||||
trimdomain.c uucplock.c
|
||||
INCS= libutil.h login_cap.h
|
||||
@ -16,7 +16,7 @@ INCS= libutil.h login_cap.h
|
||||
MAN+= login.3 login_auth.3 login_tty.3 logout.3 logwtmp.3 pty.3 \
|
||||
login_cap.3 login_class.3 login_times.3 login_ok.3 \
|
||||
_secure_path.3 uucplock.3 property.3 auth.3 realhostname.3 \
|
||||
realhostname_sa.3 trimdomain.3 fparseln.3 clean_environment.3
|
||||
realhostname_sa.3 trimdomain.3 fparseln.3
|
||||
MAN+= login.conf.5 auth.conf.5
|
||||
MLINKS+= property.3 properties_read.3 property.3 properties_free.3
|
||||
MLINKS+= property.3 property_find.3
|
||||
|
||||
@ -1,86 +0,0 @@
|
||||
.\" Copyright (c) 2003 Tim Kientzle
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd March 1, 2004
|
||||
.Os
|
||||
.Dt CLEAN_ENVIRONMENT 3
|
||||
.Sh NAME
|
||||
.Nm clean_environment
|
||||
.Nd sanitize environment variables
|
||||
.Sh LIBRARY
|
||||
.Lb libutil
|
||||
.Sh SYNOPSIS
|
||||
.In libutil.h
|
||||
.Ft void
|
||||
.Fn clean_environment "const char * const *whitelist" "const char * const *extra_whitelist"
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Fn clean_environment
|
||||
function removes unsafe environment variables from the current
|
||||
process environment.
|
||||
It scans the current environment and discards any environment variable
|
||||
that does not occur in one of the two NULL-terminated lists.
|
||||
.Pp
|
||||
If the first argument is
|
||||
.Dv NULL ,
|
||||
a built-in default whitelist will be used.
|
||||
Most callers will use
|
||||
.Dv NULL
|
||||
for both arguments to obtain the default environment screening.
|
||||
Callers who need to make minor adjustments to the built-in
|
||||
whitelist can set the first argument to
|
||||
.Dv NULL
|
||||
and use the second argument to, in effect,
|
||||
add elements to the built-in whitelist.
|
||||
.Sh EXAMPLES
|
||||
The first example illustrates the typical usage.
|
||||
In this case, the default built-in environment screen
|
||||
will be used, which removes all environment variables
|
||||
that are not on the built-in whitelist.
|
||||
.Bd -literal -offset indent
|
||||
clean_environment(NULL, NULL);
|
||||
.Ed
|
||||
.Pp
|
||||
The following example applies the default environment screens
|
||||
except that the environment variables
|
||||
.Cm MYCUSTOM
|
||||
and
|
||||
.Cm MYCUSTOM2
|
||||
will also be kept and the
|
||||
.Cm TERM
|
||||
and
|
||||
.Cm TERMCAP
|
||||
environment variables will be removed.
|
||||
.Bd -literal -offset indent
|
||||
const char *keep[] = { "MYCUSTOM", "MYCUSTOM2", NULL };
|
||||
const char *remove[] = { "TERM", "TERMCAP", NULL };
|
||||
|
||||
clean_environment(NULL, keep);
|
||||
for (p = remove; *p != NULL; p++)
|
||||
unsetenv(*p);
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr unsetenv 3
|
||||
@ -1,121 +0,0 @@
|
||||
/*-
|
||||
* Copyright (c) 2004 Tim Kientzle
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer
|
||||
* in this position and unchanged.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
#include "libutil.h"
|
||||
|
||||
static int env_var_in_list(const char * const *list, char *var, size_t len);
|
||||
|
||||
|
||||
/*
|
||||
* Default whitelist of "known safe" environment variables.
|
||||
*/
|
||||
static const char *default_whitelist[] = {
|
||||
/* List from SUS "Environment Variables" Appendix */
|
||||
"ARFLAGS", "CC", "CDPATH", "CFLAGS", "CHARSET", "COLUMNS",
|
||||
"DATEMSK", "DEAD", "EDITOR", "ENV", "EXINIT", "FC", "FCEDIT",
|
||||
"FFLAGS", "GET", "GFLAGS", "HISTFILE", "HISTORY", "HISTSIZE",
|
||||
"HOME", "IFS", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE",
|
||||
"LC_MESSAGES", "LC_MONETARY", "LC_NUMERIC", "LC_TIME", "LDFLAGS",
|
||||
"LEX", "LFLAGS", "LINENO", "LINES", "LISTER", "LOGNAME", "LPDEST",
|
||||
"MAIL", "MAILCHECK", "MAILER", "MAILPATH", "MAILRC", "MAKEFLAGS",
|
||||
"MAKESHELL", "MANPATH", "MBOX", "MORE", "MSGVERB", "NLSPATH",
|
||||
"NPROC", "OLDPWD", "OPTARG", "OPTERR", "OPTIND", "PAGER", "PATH",
|
||||
"PPID", "PRINTER", "PROCLANG", "PROJECTDIR", "PS1", "PS2", "PS3",
|
||||
"PS4", "PWD", "RANDOM", "SECONDS", "SHELL", "TERM", "TERMCAP",
|
||||
"TERMINFO", "TMPDIR", "TZ", "USER", "VISUAL", "YACC", "YFLAGS",
|
||||
|
||||
/* Additional Environment Variables */
|
||||
"KRB5CCNAME", "LOGIN", "MAILDIR", "SSH_AGENT_PID", "SSH_AUTH_SOCK",
|
||||
|
||||
/* Terminating NULL */
|
||||
NULL
|
||||
};
|
||||
|
||||
static int
|
||||
env_var_in_list(const char * const *list, char *var, size_t len)
|
||||
{
|
||||
if (list == NULL)
|
||||
return (0);
|
||||
|
||||
while (*list != NULL) {
|
||||
if (strncmp(var, *list, len) == 0 &&
|
||||
len == strlen(*list))
|
||||
return (1);
|
||||
list++;
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Scrub the environment by applying a "whitelist" of safe variables
|
||||
* and a "blacklist" of known dangerous variables. Each environment
|
||||
* variable is examined and is retained only if it appears in a whitelist
|
||||
* and does not appear in the blacklist.
|
||||
*
|
||||
* If the first argument is NULL, a built-in whitelist will be used.
|
||||
* The second and third arguments allow clients to adjust the built-in
|
||||
* whitelist without having to replicate it.
|
||||
*
|
||||
*/
|
||||
void
|
||||
clean_environment(const char * const *whitelist,
|
||||
const char * const *extra_whitelist)
|
||||
{
|
||||
extern char **environ;
|
||||
char *p, **new, **old;
|
||||
int len;
|
||||
int safe;
|
||||
|
||||
old = environ;
|
||||
new = environ;
|
||||
|
||||
if (whitelist == NULL)
|
||||
whitelist = default_whitelist;
|
||||
|
||||
while (*old != NULL) {
|
||||
safe = 0;
|
||||
p = strchr(*old, '=');
|
||||
if (p != NULL)
|
||||
len = p - *old;
|
||||
else
|
||||
len = strlen(*old);
|
||||
|
||||
if (env_var_in_list(whitelist, *old, len) ||
|
||||
env_var_in_list(extra_whitelist, *old, len))
|
||||
*new++ = *old;
|
||||
|
||||
old++;
|
||||
}
|
||||
while (*new != NULL)
|
||||
*new++ = NULL;
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user