Add --disable-env-reset configure option.

INSTALL

@@ -625,6 +625,10 @@ The following options are also configurable at runtime:
 	Enable the creation of an Ubuntu-style admin flag file
 	the first time sudo is run.
 
+  --disable-env-reset
+        Disable environment resetting.  This sets the default value
+        of the "env_reset" Defaults option in sudoers to false.
+
 Shadow password and C2 support
 ==============================
 

NEWS

@@ -75,6 +75,10 @@ What's new in Sudo 1.7.5?
    by the "sudoers_locale" setting ("C" by default).  Email send by
    sudo now includes MIME headers when "sudoers_locale" is not "C".
 
+ * The configure script has a new option, --disable-env-reset, to
+   allow one to change the default for the sudoers Default setting
+   "env_reset" at compile time.
+
 What's new in Sudo 1.7.4p6?
 
  * A bug has been fixed in the I/O logging support that could cause

config.h.in

@@ -27,6 +27,9 @@
    variables. */
 #undef ENV_EDITOR
 
+/* Define to 1 to enable environment resetting by default. */
+#undef ENV_RESET
+
 /* If defined, users in this group need not enter a passwd (ie "sudo"). */
 #undef EXEMPTGROUP
 

configure

@@ -795,6 +795,7 @@ root_sudo
 insults
 tty_tickets
 passwd_tries
+env_reset
 env_editor
 runas_default
 fqdn
@@ -995,6 +996,7 @@ enable_shell_sets_home
 enable_path_info
 enable_env_debug
 enable_zlib
+enable_env_reset
 enable_warnings
 enable_admin_flag
 with_selinux
@@ -1651,6 +1653,7 @@ Optional Features:
   --disable-path-info     Print 'command not allowed' not 'command not found'
   --enable-env-debug      Whether to enable environment debugging.
   --enable-zlib[=PATH]    Whether to enable or disable zlib
+  --enable-env-reset      Whether to enable environment resetting by default.
   --enable-warnings       Whether to enable compiler warnings
   --enable-admin-flag     Whether to create a Ubuntu-style admin flag file
   --enable-gss-krb5-ccache-name
@@ -2970,6 +2973,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
 
 
 
+
 
 
 #
@@ -2998,6 +3002,7 @@ badpass_message="Sorry, try again."
 fqdn=off
 runas_default=root
 env_editor=off
+env_reset=on
 editor=vi
 passwd_tries=3
 tty_tickets=on
@@ -5562,6 +5567,35 @@ if test "${enable_zlib+set}" = set; then :
 fi
 
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to enable environment resetting by default" >&5
+$as_echo_n "checking whether to enable environment resetting by default... " >&6; }
+# Check whether --enable-env_reset was given.
+if test "${enable_env_reset+set}" = set; then :
+  enableval=$enable_env_reset;  case "$enableval" in
+    yes)	env_reset=on
+		;;
+    no)		env_reset=off
+		;;
+    *)		env_reset=on
+    		{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Ignoring unknown argument to --enable-env-reset: $enableval" >&5
+$as_echo "$as_me: WARNING: Ignoring unknown argument to --enable-env-reset: $enableval" >&2;}
+		;;
+  esac
+
+fi
+
+if test "$env_reset" = "on"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+    $as_echo "#define ENV_RESET TRUE" >>confdefs.h
+
+else
+    { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+    $as_echo "#define ENV_RESET FALSE" >>confdefs.h
+
+fi
+
 # Check whether --enable-warnings was given.
 if test "${enable_warnings+set}" = set; then :
   enableval=$enable_warnings;  case "$enableval" in
@@ -6751,13 +6785,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6754: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6788: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6757: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6791: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6760: output\"" >&5)
+  (eval echo "\"\$as_me:6794: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7962,7 +7996,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7965 "configure"' > conftest.$ac_ext
+  echo '#line 7999 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9354,11 +9388,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9357: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9391: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9361: \$? = $ac_status" >&5
+   echo "$as_me:9395: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9693,11 +9727,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9696: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9730: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9700: \$? = $ac_status" >&5
+   echo "$as_me:9734: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9798,11 +9832,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9801: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9835: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9805: \$? = $ac_status" >&5
+   echo "$as_me:9839: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9853,11 +9887,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9856: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9890: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9860: \$? = $ac_status" >&5
+   echo "$as_me:9894: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12220,7 +12254,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12223 "configure"
+#line 12257 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12316,7 +12350,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12319 "configure"
+#line 12353 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H

configure.in

@@ -88,6 +88,7 @@ AC_SUBST([badpass_message])
 AC_SUBST([fqdn])
 AC_SUBST([runas_default])
 AC_SUBST([env_editor])
+AC_SUBST([env_reset])
 AC_SUBST([passwd_tries])
 AC_SUBST([tty_tickets])
 AC_SUBST([insults])
@@ -125,6 +126,7 @@ badpass_message="Sorry, try again."
 fqdn=off
 runas_default=root
 env_editor=off
+env_reset=on
 editor=vi
 passwd_tries=3
 tty_tickets=on
@@ -1267,6 +1269,27 @@ AC_ARG_ENABLE(zlib,
 [AS_HELP_STRING([--enable-zlib[[=PATH]]], [Whether to enable or disable zlib])],
 [])
 
+AC_MSG_CHECKING(whether to enable environment resetting by default)
+AC_ARG_ENABLE(env_reset,
+[AS_HELP_STRING([--enable-env-reset], [Whether to enable environment resetting by default.])],
+[ case "$enableval" in
+    yes)	env_reset=on
+		;;
+    no)		env_reset=off
+		;;
+    *)		env_reset=on
+    		AC_MSG_WARN([Ignoring unknown argument to --enable-env-reset: $enableval])
+		;;
+  esac
+])
+if test "$env_reset" = "on"; then
+    AC_MSG_RESULT(yes)
+    AC_DEFINE(ENV_RESET, TRUE)
+else
+    AC_MSG_RESULT(no)
+    AC_DEFINE(ENV_RESET, FALSE)
+fi
+
 AC_ARG_ENABLE(warnings,
 [AS_HELP_STRING([--enable-warnings], [Whether to enable compiler warnings])],
 [ case "$enableval" in

doc/sudoers.man.in

@@ -875,7 +875,7 @@ and \f(CW\*(C`env_check\*(C'\fR lists are then added.  The default contents of t
 \&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
 run by root with the \fI\-V\fR option.  If the \fIsecure_path\fR option
 is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
-This flag is \fIon\fR by default.
+This flag is \fI@env_reset@\fR by default.
 .IP "fast_glob" 16
 .IX Item "fast_glob"
 Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style

doc/sudoers.pod

@@ -741,7 +741,7 @@ and C<env_check> lists are then added.  The default contents of the
 C<env_keep> and C<env_check> lists are displayed when B<sudo> is
 run by root with the I<-V> option.  If the I<secure_path> option
 is set, its value will be used for the C<PATH> environment variable.
-This flag is I<on> by default.
+This flag is I<@env_reset@> by default.
 
 =item fast_glob
 

plugins/sudoers/defaults.c

@@ -446,7 +446,7 @@ init_defaults(void)
     def_iolog_file = estrdup("%{seq}");
     def_iolog_dir = estrdup(_PATH_SUDO_IO_LOGDIR);
     def_sudoers_locale = estrdup("C");
-    def_env_reset = TRUE;
+    def_env_reset = ENV_RESET;
     def_set_logname = TRUE;
     def_closefrom = STDERR_FILENO + 1;