diff --git a/SOURCES/1000-setpriv-add-reset-env.patch b/SOURCES/1000-setpriv-add-reset-env.patch new file mode 100644 index 0000000..a8b97c6 --- /dev/null +++ b/SOURCES/1000-setpriv-add-reset-env.patch @@ -0,0 +1,162 @@ +From 0150f21be9739ad3fc8d5ce7cee2a2ff4a09326f Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Wed, 22 Aug 2018 11:43:32 +0200 +Subject: [PATCH] setpriv: add --reset-env + +Clear environment in way like su(1), but PATH is set to hard-coded +defaults and /etc/login.defs is not used at all (I guess we want to +keep setpriv(1) simple). + +If you need anything more advanced than use env(1). + +Addresses: https://github.com/karelzak/util-linux/issues/325 +Signed-off-by: Karel Zak +--- + sys-utils/setpriv.1 | 9 ++++++++ + sys-utils/setpriv.c | 54 ++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 62 insertions(+), 1 deletion(-) + +diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1 +index b900f6e08..45bc5a23b 100644 +--- a/sys-utils/setpriv.1 ++++ b/sys-utils/setpriv.1 +@@ -159,6 +159,15 @@ to abort if AppArmor is not in use, and the transition may be ignored or cause + .BR execve (2) + to fail at AppArmor's whim. + .TP ++.BI \-\-reset\-env ++Clears all the environment variables except TERM; initializes the environment variables HOME, SHELL, USER, LOGNAME ++according to the user's passwd entry; sets PATH to \fI/usr/local/bin:/bin:/usr/bin\fR for a regual user and to ++\fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fR for root. ++.sp ++The environment variable PATH may be different on systems where /bin and /sbin ++are merged into /usr. The environment variable SHELL defaults to \fI/bin/sh\fR if none is given in the user's ++passwd entry. ++.TP + .BR \-V , " \-\-version" + Display version information and exit. + .TP +diff --git a/sys-utils/setpriv.c b/sys-utils/setpriv.c +index 4147978cc..30f8f9b15 100644 +--- a/sys-utils/setpriv.c ++++ b/sys-utils/setpriv.c +@@ -38,6 +38,7 @@ + #include "strutils.h" + #include "xalloc.h" + #include "pathnames.h" ++#include "env.h" + + #ifndef PR_SET_NO_NEW_PRIVS + # define PR_SET_NO_NEW_PRIVS 38 +@@ -55,6 +56,9 @@ + + #define SETPRIV_EXIT_PRIVERR 127 /* how we exit when we fail to set privs */ + ++/* The shell to set SHELL env.variable if none is given in the user's passwd entry. */ ++#define DEFAULT_SHELL "/bin/sh" ++ + enum cap_type { + CAP_TYPE_EFFECTIVE = CAPNG_EFFECTIVE, + CAP_TYPE_PERMITTED = CAPNG_PERMITTED, +@@ -82,6 +86,7 @@ struct privctx { + keep_groups:1, /* keep groups */ + clear_groups:1, /* remove groups */ + init_groups:1, /* initialize groups */ ++ reset_env:1, /* reset environment */ + have_securebits:1; /* remove groups */ + + /* uids and gids */ +@@ -137,6 +142,8 @@ static void __attribute__((__noreturn__)) usage(void) + fputs(_(" --securebits set securebits\n"), out); + fputs(_(" --selinux-label