When merging the PAM environment, allow environment variables set

in PAM to override ones set by sudo as long as they do not match the env_keep or env_check lists.
2025-08-30 22:05:46 +00:00 · 2013-08-17 06:34:09 -06:00
parent f72f47aa1d
commit 7a76844d98
2 changed files with 18 additions and 16 deletions
--- a/plugins/sudoers/env.c
+++ b/plugins/sudoers/env.c
@@ -544,21 +544,6 @@ sudo_getenv(const char *name)
    debug_return_str(val);
 }

-/*
- * Merge another environment with our private copy.
- */
-void
-env_merge(char * const envp[], bool overwrite)
-{
-    char * const *ep;
-    debug_decl(env_merge, SUDO_DEBUG_ENV)
-
-    for (ep = envp; *ep != NULL; ep++)
-	sudo_putenv(*ep, true, overwrite);
-
-    debug_return;
-}
-
 /*
 * Check the env_delete blacklist.
 * Returns true if the variable was found, else false.
@@ -695,6 +680,23 @@ env_should_keep(const char *var)
    debug_return_bool(keepit == true);
 }

+/*
+ * Merge another environment with our private copy.
+ * Only overwrite an existing variable if it is not
+ * being preserved from the user's environment.
+ */
+void
+env_merge(char * const envp[])
+{
+    char * const *ep;
+    debug_decl(env_merge, SUDO_DEBUG_ENV)
+
+    for (ep = envp; *ep != NULL; ep++)
+	sudo_putenv(*ep, true, !env_should_keep(*ep));
+
+    debug_return;
+}
+
 static void
 env_update_didvar(const char *ep, unsigned int *didvar)
 {