millert
commented
1 year ago That is an unintentional side effect of the change. The reason for keeping the environment point available was to make it possible to log that information for rejected commands in the sudoers audit plugin. However, since the command was rejected, it is probably better to just log the user's original environment in that case instead. It should be safe to revert this change but I will need to verify that it doesn't cause problems with sub-command logging.
qsW-git
mariushoch
Starting on version 1.9.4, specifically since this commit https://github.com/sudo-project/sudo/commit/7d0b19d2a0236ff50f8e8253ba86e1672399ae52, there is a change in the behaviour of the setenv/getenv functions when these are called from a pam_module or anything that is called from
policy_init_session.The previous behaviour was that the env functions made mofications on the environ pointer from the pam process. After this change the changes are made to the private enviroment from sudo. This happens because the envp pointer from the sudo
env.envppointer is not null (now the functionsudoers_check_cmndonly calls toenv_init(NULL)on errors), so the setenv hooks are used and it does not modify the pam process environ pointer.Was this change intentional?
Thanks