exec_mailer: use minimal environment for non-root mailer too

Previously, we used the user's environment when running the mailer
as the user if sudo is configured with the --disable-root-mailer
option.  With this change the environment used is consistent
regardless of whether or not the mailer is being run as root.
Only the values of USER/LOGNAME/LOGIN are different.

Author: millert

include/sudo_eventlog.h

@@ -79,9 +79,10 @@ struct eventlog_config {
     int syslog_acceptpri;
     int syslog_rejectpri;
     int syslog_alertpri;
-    uid_t mailuid;
-    gid_t mailgid;
+    uid_t maileruid;
+    gid_t mailergid;
     bool omit_hostname;
+    const char *maileruser;
     const char *logpath;
     const char *time_fmt;
     const char *mailerpath;
@@ -153,7 +154,7 @@ void eventlog_set_syslog_rejectpri(int pri);
 void eventlog_set_syslog_alertpri(int pri);
 void eventlog_set_syslog_maxlen(size_t len);
 void eventlog_set_file_maxlen(size_t len);
-void eventlog_set_mailuser(uid_t uid, gid_t gid);
+void eventlog_set_maileruser(const char *name, uid_t uid, gid_t gid);
 void eventlog_set_omit_hostname(bool omit_hostname);
 void eventlog_set_logpath(const char *path);
 void eventlog_set_time_fmt(const char *fmt);

lib/eventlog/eventlog.c

@@ -273,26 +273,77 @@ closefrom_nodebug(int lowfd)
     debug_return;
 }
 
+/*
+ * Build minimal environment for executing the mailer.
+ * We set HOME to / even for non-root users.
+ */
+static char **
+user_mailer_env(const char *user)
+{
+    char **envp;
+    int envc = 4;
+    int i = 0;
+
+#ifdef _AIX
+    envc++;	/* for LOGIN variable */
+#endif
+
+    /* User defaults to root. */
+    if (user == NULL)
+	user = "root";
+
+    envp = calloc(envc + 1, sizeof(char *));
+    if (envp == NULL)
+	goto bad;
+
+    if (i >= envc)
+	goto bad;
+    if ((envp[i++] = strdup("HOME=/")) == NULL)
+	goto bad;
+
+    if (i >= envc)
+	goto bad;
+    if ((envp[i++] = strdup("PATH=" _PATH_STDPATH)) == NULL)
+	goto bad;
+
+    if (i >= envc)
+	goto bad;
+    if (asprintf(&envp[i++], "LOGNAME=%s", user) == -1)
+	goto bad;
+
+    if (i >= envc)
+	goto bad;
+    if (asprintf(&envp[i++], "USER=%s", user) == -1)
+	goto bad;
+
+#ifdef _AIX
+    if (i >= envc)
+	goto bad;
+    if (asprintf(&envp[i++], "LOGIN=%s", user) == -1)
+	goto bad;
+#endif /* _AIX */
+
+    return envp;
+bad:
+    if (envp != NULL) {
+	for (i = 0; i < envc && envp[i] != NULL; i++) {
+	    free(envp[i]);
+	}
+	free(envp);
+    }
+    return NULL;
+}
+
 #define MAX_MAILFLAGS	63
 
 sudo_noreturn static void
-exec_mailer(int pipein) // -V1082
+exec_mailer(const struct eventlog_config *evl_conf, int pipein) // -V1082
 {
-    const struct eventlog_config *evl_conf = eventlog_getconf();
     char *last, *mflags, *p, *argv[MAX_MAILFLAGS + 1];
     const char *mpath = evl_conf->mailerpath;
-    gid_t mailgid = evl_conf->mailgid;
+    gid_t mailergid = evl_conf->mailergid;
+    char **mail_envp;
     size_t i;
-    const char * const root_envp[] = {
-	"HOME=/",
-	"PATH=/usr/bin:/bin:/usr/sbin:/sbin",
-	"LOGNAME=root",
-	"USER=root",
-# ifdef _AIX
-	"LOGIN=root",
-# endif
-	NULL
-    };
     debug_decl(exec_mailer, SUDO_DEBUG_UTIL);
 
     /* Set stdin to read side of the pipe. */
@@ -303,6 +354,12 @@ exec_mailer(int pipein) // -V1082
 	goto bad;
     }
 
+    mail_envp = user_mailer_env(evl_conf->maileruser);
+    if (mail_envp == NULL) {
+	syslog(LOG_ERR, "%s", _("unable to allocate memory"));
+	goto bad;
+    }
+
     /* Build up an argv based on the mailer path and flags */
     if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
 	syslog(LOG_ERR, "%s", _("unable to allocate memory"));
@@ -327,28 +384,25 @@ exec_mailer(int pipein) // -V1082
 	    ROOT_UID);
 	goto bad;
     }
-    if (setgid(mailgid) != 0) {
+    if (setgid(mailergid) != 0) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
-	    (unsigned int)mailgid);
+	    (unsigned int)mailergid);
 	goto bad;
     }
-    if (setgroups(1, &mailgid) != 0) {
+    if (setgroups(1, &mailergid) != 0) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
-	    (unsigned int)mailgid);
+	    (unsigned int)mailergid);
 	goto bad;
     }
-    if (evl_conf->mailuid != ROOT_UID) {
-	if (setuid(evl_conf->mailuid) != 0) {
+    if (evl_conf->maileruid != ROOT_UID) {
+	if (setuid(evl_conf->maileruid) != 0) {
 	    sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
-		(unsigned int)evl_conf->mailuid);
+		(unsigned int)evl_conf->maileruid);
 	    goto bad;
 	}
     }
     sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
-    if (evl_conf->mailuid == ROOT_UID)
-	execve(mpath, argv, (char **)root_envp);
-    else
-	execv(mpath, argv);
+    execve(mpath, argv, (char **)mail_envp);
     syslog(LOG_ERR, _("unable to execute %s: %m"), mpath); // -V618
     sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
 	mpath, strerror(errno));
@@ -486,7 +540,7 @@ send_mail(const struct eventlog *evlog, const char *message)
 	    /* NOTREACHED */
 	case 0:
 	    /* Child. */
-	    exec_mailer(pfd[0]);
+	    exec_mailer(evl_conf, pfd[0]);
 	    /* NOTREACHED */
     }
 

lib/eventlog/eventlog_conf.c

@@ -64,9 +64,10 @@ static struct eventlog_config evl_conf = {
     LOG_NOTICE,			/* syslog_acceptpri */
     LOG_ALERT,			/* syslog_rejectpri */
     LOG_ALERT,			/* syslog_alertpri */
-    ROOT_UID,			/* mailuid */
-    ROOT_GID,			/* mailgid */
+    ROOT_UID,			/* maileruid */
+    ROOT_GID,			/* mailergid */
     false,			/* omit_hostname */
+    NULL,			/* maileruser */
     _PATH_SUDO_LOGFILE,		/* logpath */
     "%h %e %T",			/* time_fmt */
 #ifdef _PATH_SUDO_SENDMAIL
@@ -147,10 +148,11 @@ eventlog_set_file_maxlen(size_t len)
 }
 
 void
-eventlog_set_mailuser(uid_t uid, gid_t gid)
+eventlog_set_maileruser(const char *name, uid_t uid, gid_t gid)
 {
-    evl_conf.mailuid = uid;
-    evl_conf.mailgid = gid;
+    evl_conf.maileruid = uid;
+    evl_conf.mailergid = gid;
+    evl_conf.maileruser = name;
 }
 
 void

plugins/sudoers/logging.c

@@ -1152,7 +1152,7 @@ init_eventlog_config(void)
     eventlog_set_syslog_alertpri(def_syslog_badpri);
     eventlog_set_syslog_maxlen(def_syslog_maxlen);
     eventlog_set_file_maxlen(def_loglinelen);
-    eventlog_set_mailuser(ROOT_UID, ROOT_GID);
+    eventlog_set_maileruser(NULL, ROOT_UID, ROOT_GID);
     eventlog_set_omit_hostname(!def_log_host);
     eventlog_set_logpath(def_logfile);
     eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");

plugins/sudoers/policy.c

@@ -634,7 +634,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
     }
 
 #ifdef NO_ROOT_MAILER
-    eventlog_set_mailuser(ctx->user.uid, ctx->user.gid);
+    eventlog_set_maileruser(ctx->user.name, ctx->user.uid, ctx->user.gid);
 #endif
 
     /* Dump settings and user info (XXX - plugin args) */