Bug or feature? environment variables behaviour change #318
Comments
|
That is an unintentional side effect of the change. The reason for keeping the environment point available was to make it possible to log that information for rejected commands in the sudoers audit plugin. However, since the command was rejected, it is probably better to just log the user's original environment in that case instead. It should be safe to revert this change but I will need to verify that it doesn't cause problems with sub-command logging. |
millert
added a commit
that referenced
this issue
Oct 22, 2023
This reverts 5118eb5797fb, which had the side-effect of the PAM session code running with the run environment instead of the invoking user's environment. Issue #318
|
Fixed by 0778262 |
|
If I don't fix this bug, what might be the impact on my use? |
I think this might have caused https://bugzilla.redhat.com/show_bug.cgi?id=2272665. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Starting on version 1.9.4, specifically since this commit 7d0b19d, there is a change in the behaviour of the setenv/getenv functions when these are called from a pam_module or anything that is called from
policy_init_session.The previous behaviour was that the env functions made mofications on the environ pointer from the pam process. After this change the changes are made to the private enviroment from sudo. This happens because the envp pointer from the sudo
env.envppointer is not null (now the functionsudoers_check_cmndonly calls toenv_init(NULL)on errors), so the setenv hooks are used and it does not modify the pam process environ pointer.Was this change intentional?
Thanks
The text was updated successfully, but these errors were encountered: