Bug#355005: New -E option not to launder the environment

Ian Jackson Thu, 02 Mar 2006 09:34:11 -0800

Package: openbsd-inetd
Version: 20040915-1
Tags: patch

As supplied, openbsd-inetd removes various things - including PATH -
from the environment of the services it runs.


I realise that this is a response to people running the init.d start
script with a stupid environment and filing bug reports, but
unfortunately it's not a correct cure.

In my opinion, all programs (including inetd services) are allowed to
assume that they get a sane environment - _including_ a nice PATH with
sbin and /usr/local (if appropriate), any other local settings,
etc. etc.  All my locally-written programs and local configuration
generally rely on this.  I arrange for it to be true by always
starting daemons (like inetd) from `su -' which ensures a correct and
sane environment.

I realise that not everyone does this, and that question of how best
to handle the problem of daemons' environments is not settled.  For
now an ad-hoc approach taken by each daemon's maintainer is not
unreasonable (although it's not clear why this feature needed to be in
inetd's C rather than eg with `env -' in the startup script).

But in a system like mine which has a more uniformly correct approach,
I need it to not launder the environment which I have so carefully
prepared.  In particular, I need to have _some_ way of specifying (eg)
the PATH for services !  (I need to use openbsd-inetd because the
netkit one is full of races which make it break for me.)

So, I have added a new option -E which preserves the environment
completely, and which I can then put in /etc/default.  The patch is
nice and small and is below.  I had to move the call to
`discard_stupid_environment' down after the option parsing but this
looks OK to me.  It's not quite clear to me why it was that early;
nothing in the option parsing should be affected by it.

My patch also includes documentation of the new option and thus of
course documentation of the environment-laundering behaviour, which is
another improvement :-).

Regards,
Ian.


diff -ru orig/openbsd-inetd-0.20040915/debian/changelog 
openbsd-inetd-0.20040915/debian/changelog
--- orig/openbsd-inetd-0.20040915/debian/changelog      2006-03-02 
17:04:23.000000000 +0000
+++ openbsd-inetd-0.20040915/debian/changelog   2006-03-02 17:08:24.000000000 
+0000
@@ -1,3 +1,10 @@
+openbsd-inetd (0.20040915-1.0.99iwj2) unstable; urgency=low
+
+  * New -E option not to clobber the environment;
+    with documentation in inetd.8.
+
+ -- Ian Jackson <[EMAIL PROTECTED]>  Thu,  2 Mar 2006 17:08:24 +0000
+
 openbsd-inetd (0.20040915-1) unstable; urgency=low
 
   * New CVS snapshot.
Only in openbsd-inetd-0.20040915/debian: changelog~
diff -ru orig/openbsd-inetd-0.20040915/inetd.8 openbsd-inetd-0.20040915/inetd.8
--- orig/openbsd-inetd-0.20040915/inetd.8       2006-03-02 17:04:23.000000000 
+0000
+++ openbsd-inetd-0.20040915/inetd.8    2006-03-02 17:07:45.000000000 +0000
@@ -39,6 +39,7 @@
 .Nm inetd
 .Op Fl d
 .Op Fl l
+.Op Fl E
 .Op Fl R Ar rate
 .Op Ar configuration file
 .Sh DESCRIPTION
@@ -63,6 +64,13 @@
 .Bl -tag -width Ds
 .It Fl d
 Turns on debugging.
+.It Fl E
+Prevents
+.Nm inetd
+from laundering the environment.  Without this option a selection of
+environent variables believed by the authors to be harmful, including
+.Pa PATH ,
+will be removed and not inherited by services.
 .It Fl l
 Turns on libwrap connection logging. Internal services cannot be wrapped.
 When enabled,
diff -ru orig/openbsd-inetd-0.20040915/inetd.c openbsd-inetd-0.20040915/inetd.c
--- orig/openbsd-inetd-0.20040915/inetd.c       2006-03-02 17:04:23.000000000 
+0000
+++ openbsd-inetd-0.20040915/inetd.c    2006-03-02 17:01:56.000000000 +0000
@@ -184,6 +184,7 @@
 
 int     global_queuelen = 128;
 int     debug = 0;
+int      keepenv = 0;
 int     nsock, maxsock;
 fd_set *allsockp;
 int     allsockn;
@@ -357,9 +358,8 @@
 
        initsetproctitle(argc, argv, envp);
        /* This must be called _after_ initsetproctitle */
-       discard_stupid_environment();
 
-       while ((ch = getopt(argc, argv, "dilq:R:")) != -1)
+       while ((ch = getopt(argc, argv, "dilEq:R:")) != -1)
                switch (ch) {
                case 'd':
                        debug = 1;
@@ -367,6 +367,9 @@
                case 'i':
                        nodaemon = 1;
                        break;
+               case 'E':
+                       keepenv = 1;
+                       break;
                case 'l':
 #ifdef LIBWRAP
                        lflag = 1;
@@ -404,6 +407,8 @@
        argc -= optind;
        argv += optind;
 
+       discard_stupid_environment();
+
        uid = getuid();
        if (uid != 0)
                CONFIG = NULL;
@@ -2289,6 +2294,9 @@
                };
 
        int i, k = 0;
+
+       if (keepenv)
+               return;
        for (i = 0; __environ[i]; i++) {
                int found = 0, j;

-- 
Ian Jackson, at home.           Local/personal: [EMAIL PROTECTED]
[EMAIL PROTECTED]       http://www.chiark.greenend.org.uk/~ijackson/
Problems mailing me ?  Send [EMAIL PROTECTED] the bounce (bypasses the blocks).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#355005: New -E option not to launder the environment

Reply via email to