21255d
From fcd9a141d08d521c01dc1a1c06a8d43a2337a392 Mon Sep 17 00:00:00 2001
21255d
From: Lennart Poettering <lennart@poettering.net>
21255d
Date: Mon, 4 Feb 2019 10:23:43 +0100
21255d
Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv()
21255d
21255d
And explain why in a comment.
21255d
21255d
(cherry picked from commit 83d4ab55336ff8a0643c6aa627b31e351a24040a)
21255d
21255d
CVE-2019-3842
21255d
21255d
Resolves: #1687514
21255d
---
21255d
 src/login/pam_systemd.c | 55 ++++++++++++++++++++++++-----------------
21255d
 1 file changed, 32 insertions(+), 23 deletions(-)
21255d
21255d
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
21255d
index 1fbf6ba585..78ddb7d398 100644
21255d
--- a/src/login/pam_systemd.c
21255d
+++ b/src/login/pam_systemd.c
21255d
@@ -274,6 +274,33 @@ static int append_session_cg_weight(pam_handle_t *handle, sd_bus_message *m, con
21255d
         return 0;
21255d
 }
21255d
 
21255d
+static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
21255d
+        const char *v;
21255d
+
21255d
+        assert(handle);
21255d
+        assert(key);
21255d
+
21255d
+        /* Looks for an environment variable, preferrably in the environment block associated with the
21255d
+         * specified PAM handle, falling back to the process' block instead. Why check both? Because we want
21255d
+         * to permit configuration of session properties from unit files that invoke PAM services, so that
21255d
+         * PAM services don't have to be reworked to set systemd-specific properties, but these properties
21255d
+         * can still be set from the unit file Environment= block. */
21255d
+
21255d
+        v = pam_getenv(handle, key);
21255d
+        if (!isempty(v))
21255d
+                return v;
21255d
+
21255d
+        /* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
21255d
+         * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
21255d
+         * currently don't (to be precise, they clean up the environment they pass to their children, but
21255d
+         * not their own environ[]). */
21255d
+        v = secure_getenv(key);
21255d
+        if (!isempty(v))
21255d
+                return v;
21255d
+
21255d
+        return fallback;
21255d
+}
21255d
+
21255d
 _public_ PAM_EXTERN int pam_sm_open_session(
21255d
                 pam_handle_t *handle,
21255d
                 int flags,
21255d
@@ -352,29 +379,11 @@ _public_ PAM_EXTERN int pam_sm_open_session(
21255d
         pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
21255d
         pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
21255d
 
21255d
-        seat = pam_getenv(handle, "XDG_SEAT");
21255d
-        if (isempty(seat))
21255d
-                seat = getenv("XDG_SEAT");
21255d
-
21255d
-        cvtnr = pam_getenv(handle, "XDG_VTNR");
21255d
-        if (isempty(cvtnr))
21255d
-                cvtnr = getenv("XDG_VTNR");
21255d
-
21255d
-        type = pam_getenv(handle, "XDG_SESSION_TYPE");
21255d
-        if (isempty(type))
21255d
-                type = getenv("XDG_SESSION_TYPE");
21255d
-        if (isempty(type))
21255d
-                type = type_pam;
21255d
-
21255d
-        class = pam_getenv(handle, "XDG_SESSION_CLASS");
21255d
-        if (isempty(class))
21255d
-                class = getenv("XDG_SESSION_CLASS");
21255d
-        if (isempty(class))
21255d
-                class = class_pam;
21255d
-
21255d
-        desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP");
21255d
-        if (isempty(desktop))
21255d
-                desktop = getenv("XDG_SESSION_DESKTOP");
21255d
+        seat = getenv_harder(handle, "XDG_SEAT", NULL);
21255d
+        cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
21255d
+        type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
21255d
+        class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
21255d
+        desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", NULL);
21255d
 
21255d
         tty = strempty(tty);
21255d