secure_getenv checks if you're a setuid, setgid, or have capabilities - and if so avoids using getenv.
if getenv is used in a setuid root process, there's a good chance it could be used for escalating privileges.
the intended replacement is:
if (issetugid())
return NULL;
return getenv(...);
this is done in 0022-Use-getenv-when-secure-versions-are-not-available.patch.
(I don't use this project, but was searching for something related and came across this result...)
secure_getenv checks if you're a setuid, setgid, or have capabilities - and if so avoids using getenv. if getenv is used in a setuid root process, there's a good chance it could be used for escalating privileges.
the intended replacement is:
this is done in 0022-Use-getenv-when-secure-versions-are-not-available.patch. (I don't use this project, but was searching for something related and came across this result...)