pkexec : patch for safe "--keep-user-env" option

[Jean-Philippe Guillemin]

Hi,
Many X applications require root privileges, but at the same time want to
keep the original $USER env variable.

This option (see attached patch), while preserving the
sanitized environment, and also while still honoring the
org.freedesktop.policykit.exec.allow_gui annotate key : allow the user to
preserve the $USER environment variable.

I believe, this option is both safe, clean, and a must have for pkexec.

All the best

JP

diff -rNaud polkit-0.105/src/programs/pkexec.c polkit-0.105-new/src/programs/pkexec.c
--- polkit-0.105/src/programs/pkexec.c	2012-04-24 18:05:34.000000000 +0200
+++ polkit-0.105-new/src/programs/pkexec.c	2016-02-27 12:17:52.583599410 +0100
@@ -76,6 +76,7 @@
               "       --help |\n"
               "       --disable-internal-agent |\n"
               "       [--user username] PROGRAM [ARGUMENTS...]\n"
+              "       [--keep-user-env] PROGRAM [ARGUMENTS...]\n"
               "\n"
               "See the pkexec manual page for more details.\n");
 }
@@ -391,6 +392,7 @@
   gboolean opt_show_help;
   gboolean opt_show_version;
   gboolean opt_disable_internal_agent;
+  gboolean opt_keep_user_env;
   PolkitAuthority *authority;
   PolkitAuthorizationResult *result;
   PolkitSubject *subject;
@@ -417,6 +419,7 @@
     "LC_ALL",
     "TERM",
     "COLORTERM",
+    "USER",
 
     /* By default we don't allow running X11 apps, as it does not work in the
      * general case. See
@@ -478,6 +481,7 @@
   opt_show_help = FALSE;
   opt_show_version = FALSE;
   opt_disable_internal_agent = FALSE;
+  opt_keep_user_env = FALSE;
   for (n = 1; n < (guint) argc; n++)
     {
       if (strcmp (argv[n], "--help") == 0)
@@ -503,6 +507,10 @@
         {
           opt_disable_internal_agent = TRUE;
         }
+      else if (strcmp (argv[n], "--keep-user-env") == 0)
+        {
+          opt_keep_user_env = TRUE;
+        }
       else
         {
           break;
@@ -783,13 +791,18 @@
   else
     s = g_strdup_printf ("/usr/sbin:/usr/bin:/sbin:/bin:%s/bin", pw->pw_dir);
   g_ptr_array_add (saved_env, s);
-  g_ptr_array_add (saved_env, g_strdup ("LOGNAME"));
-  g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
-  g_ptr_array_add (saved_env, g_strdup ("USER"));
-  g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
+  
+  if (opt_keep_user_env == FALSE)
+  {
+    g_ptr_array_add (saved_env, g_strdup ("USER"));
+    g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
+
+  }
   g_ptr_array_add (saved_env, g_strdup ("HOME"));
   g_ptr_array_add (saved_env, g_strdup (pw->pw_dir));
-
+  g_ptr_array_add (saved_env, g_strdup ("LOGNAME"));
+  g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
+  
   s = g_strdup_printf ("%d", getuid ());
   g_ptr_array_add (saved_env, g_strdup ("PKEXEC_UID"));
   g_ptr_array_add (saved_env, s);

_______________________________________________
polkit-devel mailing list
polkit-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/polkit-devel