Skip to content

Commit d7484d7

Browse files
committed
exec_mailer: use minimal environment for non-root mailer too
Previously, we used the user's environment when running the mailer as the user if sudo is configured with the --disable-root-mailer option. With this change the environment used is consistent regardless of whether or not the mailer is being run as root. Only the values of USER/LOGNAME/LOGIN are different.
1 parent 70c1ee4 commit d7484d7

5 files changed

Lines changed: 92 additions & 35 deletions

File tree

include/sudo_eventlog.h

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -79,9 +79,10 @@ struct eventlog_config {
7979
int syslog_acceptpri;
8080
int syslog_rejectpri;
8181
int syslog_alertpri;
82-
uid_t mailuid;
83-
gid_t mailgid;
82+
uid_t maileruid;
83+
gid_t mailergid;
8484
bool omit_hostname;
85+
const char *maileruser;
8586
const char *logpath;
8687
const char *time_fmt;
8788
const char *mailerpath;
@@ -153,7 +154,7 @@ void eventlog_set_syslog_rejectpri(int pri);
153154
void eventlog_set_syslog_alertpri(int pri);
154155
void eventlog_set_syslog_maxlen(size_t len);
155156
void eventlog_set_file_maxlen(size_t len);
156-
void eventlog_set_mailuser(uid_t uid, gid_t gid);
157+
void eventlog_set_maileruser(const char *name, uid_t uid, gid_t gid);
157158
void eventlog_set_omit_hostname(bool omit_hostname);
158159
void eventlog_set_logpath(const char *path);
159160
void eventlog_set_time_fmt(const char *fmt);

lib/eventlog/eventlog.c

Lines changed: 79 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -273,26 +273,77 @@ closefrom_nodebug(int lowfd)
273273
debug_return;
274274
}
275275

276+
/*
277+
* Build minimal environment for executing the mailer.
278+
* We set HOME to / even for non-root users.
279+
*/
280+
static char **
281+
user_mailer_env(const char *user)
282+
{
283+
char **envp;
284+
int envc = 4;
285+
int i = 0;
286+
287+
#ifdef _AIX
288+
envc++; /* for LOGIN variable */
289+
#endif
290+
291+
/* User defaults to root. */
292+
if (user == NULL)
293+
user = "root";
294+
295+
envp = calloc(envc + 1, sizeof(char *));
296+
if (envp == NULL)
297+
goto bad;
298+
299+
if (i >= envc)
300+
goto bad;
301+
if ((envp[i++] = strdup("HOME=/")) == NULL)
302+
goto bad;
303+
304+
if (i >= envc)
305+
goto bad;
306+
if ((envp[i++] = strdup("PATH=" _PATH_STDPATH)) == NULL)
307+
goto bad;
308+
309+
if (i >= envc)
310+
goto bad;
311+
if (asprintf(&envp[i++], "LOGNAME=%s", user) == -1)
312+
goto bad;
313+
314+
if (i >= envc)
315+
goto bad;
316+
if (asprintf(&envp[i++], "USER=%s", user) == -1)
317+
goto bad;
318+
319+
#ifdef _AIX
320+
if (i >= envc)
321+
goto bad;
322+
if (asprintf(&envp[i++], "LOGIN=%s", user) == -1)
323+
goto bad;
324+
#endif /* _AIX */
325+
326+
return envp;
327+
bad:
328+
if (envp != NULL) {
329+
for (i = 0; i < envc && envp[i] != NULL; i++) {
330+
free(envp[i]);
331+
}
332+
free(envp);
333+
}
334+
return NULL;
335+
}
336+
276337
#define MAX_MAILFLAGS 63
277338

278339
sudo_noreturn static void
279-
exec_mailer(int pipein) // -V1082
340+
exec_mailer(const struct eventlog_config *evl_conf, int pipein) // -V1082
280341
{
281-
const struct eventlog_config *evl_conf = eventlog_getconf();
282342
char *last, *mflags, *p, *argv[MAX_MAILFLAGS + 1];
283343
const char *mpath = evl_conf->mailerpath;
284-
gid_t mailgid = evl_conf->mailgid;
344+
gid_t mailergid = evl_conf->mailergid;
345+
char **mail_envp;
285346
size_t i;
286-
const char * const root_envp[] = {
287-
"HOME=/",
288-
"PATH=/usr/bin:/bin:/usr/sbin:/sbin",
289-
"LOGNAME=root",
290-
"USER=root",
291-
# ifdef _AIX
292-
"LOGIN=root",
293-
# endif
294-
NULL
295-
};
296347
debug_decl(exec_mailer, SUDO_DEBUG_UTIL);
297348

298349
/* Set stdin to read side of the pipe. */
@@ -303,6 +354,12 @@ exec_mailer(int pipein) // -V1082
303354
goto bad;
304355
}
305356

357+
mail_envp = user_mailer_env(evl_conf->maileruser);
358+
if (mail_envp == NULL) {
359+
syslog(LOG_ERR, "%s", _("unable to allocate memory"));
360+
goto bad;
361+
}
362+
306363
/* Build up an argv based on the mailer path and flags */
307364
if ((mflags = strdup(evl_conf->mailerflags)) == NULL) {
308365
syslog(LOG_ERR, "%s", _("unable to allocate memory"));
@@ -327,28 +384,25 @@ exec_mailer(int pipein) // -V1082
327384
ROOT_UID);
328385
goto bad;
329386
}
330-
if (setgid(mailgid) != 0) {
387+
if (setgid(mailergid) != 0) {
331388
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change gid to %u",
332-
(unsigned int)mailgid);
389+
(unsigned int)mailergid);
333390
goto bad;
334391
}
335-
if (setgroups(1, &mailgid) != 0) {
392+
if (setgroups(1, &mailergid) != 0) {
336393
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to set groups to %u",
337-
(unsigned int)mailgid);
394+
(unsigned int)mailergid);
338395
goto bad;
339396
}
340-
if (evl_conf->mailuid != ROOT_UID) {
341-
if (setuid(evl_conf->mailuid) != 0) {
397+
if (evl_conf->maileruid != ROOT_UID) {
398+
if (setuid(evl_conf->maileruid) != 0) {
342399
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to change uid to %u",
343-
(unsigned int)evl_conf->mailuid);
400+
(unsigned int)evl_conf->maileruid);
344401
goto bad;
345402
}
346403
}
347404
sudo_debug_exit(__func__, __FILE__, __LINE__, sudo_debug_subsys);
348-
if (evl_conf->mailuid == ROOT_UID)
349-
execve(mpath, argv, (char **)root_envp);
350-
else
351-
execv(mpath, argv);
405+
execve(mpath, argv, (char **)mail_envp);
352406
syslog(LOG_ERR, _("unable to execute %s: %m"), mpath); // -V618
353407
sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to execute %s: %s",
354408
mpath, strerror(errno));
@@ -486,7 +540,7 @@ send_mail(const struct eventlog *evlog, const char *message)
486540
/* NOTREACHED */
487541
case 0:
488542
/* Child. */
489-
exec_mailer(pfd[0]);
543+
exec_mailer(evl_conf, pfd[0]);
490544
/* NOTREACHED */
491545
}
492546

lib/eventlog/eventlog_conf.c

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -64,9 +64,10 @@ static struct eventlog_config evl_conf = {
6464
LOG_NOTICE, /* syslog_acceptpri */
6565
LOG_ALERT, /* syslog_rejectpri */
6666
LOG_ALERT, /* syslog_alertpri */
67-
ROOT_UID, /* mailuid */
68-
ROOT_GID, /* mailgid */
67+
ROOT_UID, /* maileruid */
68+
ROOT_GID, /* mailergid */
6969
false, /* omit_hostname */
70+
NULL, /* maileruser */
7071
_PATH_SUDO_LOGFILE, /* logpath */
7172
"%h %e %T", /* time_fmt */
7273
#ifdef _PATH_SUDO_SENDMAIL
@@ -147,10 +148,11 @@ eventlog_set_file_maxlen(size_t len)
147148
}
148149

149150
void
150-
eventlog_set_mailuser(uid_t uid, gid_t gid)
151+
eventlog_set_maileruser(const char *name, uid_t uid, gid_t gid)
151152
{
152-
evl_conf.mailuid = uid;
153-
evl_conf.mailgid = gid;
153+
evl_conf.maileruid = uid;
154+
evl_conf.mailergid = gid;
155+
evl_conf.maileruser = name;
154156
}
155157

156158
void

plugins/sudoers/logging.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1152,7 +1152,7 @@ init_eventlog_config(void)
11521152
eventlog_set_syslog_alertpri(def_syslog_badpri);
11531153
eventlog_set_syslog_maxlen(def_syslog_maxlen);
11541154
eventlog_set_file_maxlen(def_loglinelen);
1155-
eventlog_set_mailuser(ROOT_UID, ROOT_GID);
1155+
eventlog_set_maileruser(NULL, ROOT_UID, ROOT_GID);
11561156
eventlog_set_omit_hostname(!def_log_host);
11571157
eventlog_set_logpath(def_logfile);
11581158
eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");

plugins/sudoers/policy.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -634,7 +634,7 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
634634
}
635635

636636
#ifdef NO_ROOT_MAILER
637-
eventlog_set_mailuser(ctx->user.uid, ctx->user.gid);
637+
eventlog_set_maileruser(ctx->user.name, ctx->user.uid, ctx->user.gid);
638638
#endif
639639

640640
/* Dump settings and user info (XXX - plugin args) */

0 commit comments

Comments
 (0)