summaryrefslogtreecommitdiff
path: root/usr.bin/sudo
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin/sudo')
-rw-r--r--usr.bin/sudo/ChangeLog15
-rw-r--r--usr.bin/sudo/env.c45
-rw-r--r--usr.bin/sudo/sudoers.pod47
3 files changed, 70 insertions, 37 deletions
diff --git a/usr.bin/sudo/ChangeLog b/usr.bin/sudo/ChangeLog
index a20a1fc7fe5..ef26b882c7e 100644
--- a/usr.bin/sudo/ChangeLog
+++ b/usr.bin/sudo/ChangeLog
@@ -1,3 +1,18 @@
+2009-06-23 14:29 millert
+
+ * sudoers.pod: Document that we accept env_pam-style environment
+ files
+
+2009-06-23 14:24 millert
+
+ * env.c: Adapt to accept pam_env-style /etc/environment which
+ allows shell-style lines such as: export EDITOR="/usr/bin/vi"
+
+2009-06-23 12:22 millert
+
+ * sudoers.pod: Make it clear that env_delete only works when
+ !env_reset. From Loïc Minier
+
2009-06-15 17:19 millert
* sudo.pod, sudoers.pod: Add non-unix group bits, adapted from
diff --git a/usr.bin/sudo/env.c b/usr.bin/sudo/env.c
index 54b685dfa85..3049dff9330 100644
--- a/usr.bin/sudo/env.c
+++ b/usr.bin/sudo/env.c
@@ -43,13 +43,14 @@
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
+#include <ctype.h>
#include <errno.h>
#include <pwd.h>
#include "sudo.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: env.c,v 1.105 2009/06/15 13:10:01 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: env.c,v 1.106 2009/06/23 18:24:42 millert Exp $";
#endif /* lint */
/*
@@ -849,7 +850,11 @@ validate_env_vars(env_vars)
/*
* Read in /etc/environment ala AIX and Linux.
- * Lines are in the form of NAME=VALUE
+ * Lines may be in either of three formats:
+ * NAME=VALUE
+ * NAME="VALUE"
+ * NAME='VALUE'
+ * with an optional "export" prefix so the shell can source the file.
* Invalid lines, blank lines, or lines consisting solely of a comment
* character are skipped.
*/
@@ -859,21 +864,45 @@ read_env_file(path, overwrite)
int overwrite;
{
FILE *fp;
- char *cp;
+ char *cp, *var, *val;
+ size_t var_len, val_len;
if ((fp = fopen(path, "r")) == NULL)
return;
- while ((cp = sudo_parseln(fp)) != NULL) {
+ while ((var = sudo_parseln(fp)) != NULL) {
/* Skip blank or comment lines */
- if (*cp == '\0')
+ if (*var == '\0')
continue;
- /* Must be of the form name=value */
- if (strchr(cp, '=') == NULL)
+ /* Skip optional "export " */
+ if (strncmp(var, "export", 6) == 0 && isspace((unsigned char) var[6])) {
+ var += 7;
+ while (isspace((unsigned char) *var)) {
+ var++;
+ }
+ }
+
+ /* Must be of the form name=["']value['"] */
+ for (val = var; *val != '\0' && *val != '='; val++)
+ ;
+ if (var == val || *val != '=')
continue;
+ var_len = (size_t)(val - var);
+ val_len = strlen(++val);
+
+ /* Strip leading and trailing single/double quotes */
+ if ((val[0] == '\'' || val[0] == '\"') && val[0] == val[val_len - 1]) {
+ val[val_len - 1] = '\0';
+ val++;
+ val_len -= 2;
+ }
+
+ cp = emalloc(var_len + 1 + val_len + 1);
+ memcpy(cp, var, var_len + 1); /* includes '=' */
+ memcpy(cp + var_len + 1, val, val_len + 1); /* includes NUL */
- sudo_putenv(estrdup(cp), TRUE, overwrite);
+ sudo_putenv(cp, TRUE, overwrite);
}
fclose(fp);
}
diff --git a/usr.bin/sudo/sudoers.pod b/usr.bin/sudo/sudoers.pod
index 70febd580f9..847052432ab 100644
--- a/usr.bin/sudo/sudoers.pod
+++ b/usr.bin/sudo/sudoers.pod
@@ -18,7 +18,7 @@ Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudoers.pod,v 1.170 2009/06/15 21:19:47 millert Exp $
+$Sudo: sudoers.pod,v 1.172 2009/06/23 18:29:02 millert Exp $
=pod
=head1 NAME
@@ -990,13 +990,6 @@ two consecutive C<%> characters are collapsed into a single C<%> character
The default value is C<@passprompt@>.
-=item role
-
-The default SELinux role to use when constructing a new security
-context to run the command. The default role may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
=item runas_default
The default user to run commands as if the B<-u> option is not specified
@@ -1030,13 +1023,6 @@ The default is F<@timedir@>.
The owner of the timestamp directory and the timestamps stored therein.
The default is C<root>.
-=item type
-
-The default SELinux type to use when constructing a new security
-context to run the command. The default type may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
=back
B<Strings that can be used in a boolean context>:
@@ -1056,11 +1042,13 @@ environment variable.
=item env_file
-The I<env_file> options specifies the fully qualified path to a file
-containing variables to be set in the environment of the program
-being run. Entries in this file should be of the form C<VARIABLE=value>.
-Variables in this file are subject to other B<sudo> environment
-settings such as I<env_keep> and I<env_check>.
+The I<env_file> options specifies the fully qualified path to a
+file containing variables to be set in the environment of the program
+being run. Entries in this file should either be of the form
+C<VARIABLE=value> or C<export VARIABLE=value>. The value may
+optionally be surrounded by single or double quotes. Variables in
+this file are subject to other B<sudo> environment settings such
+as I<env_keep> and I<env_check>.
=item exempt_group
@@ -1225,15 +1213,16 @@ the I<-V> option.
=item env_delete
-Environment variables to be removed from the user's environment.
-The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
-C<!> operators respectively. The default list of environment
-variables to remove is displayed when B<sudo> is run by root with the
-I<-V> option. Note that many operating systems will remove potentially
-dangerous variables from the environment of any setuid process (such
-as B<sudo>).
+Environment variables to be removed from the user's environment
+when the I<env_reset> option is not in effect. The argument may
+be a double-quoted, space-separated list or a single value without
+double-quotes. The list can be replaced, added to, deleted from,
+or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
+respectively. The default list of environment variables to remove
+is displayed when B<sudo> is run by root with the I<-V> option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+B<sudo>).
=item env_keep