Last active
May 18, 2023 07:19
-
-
Save ItsProfessional/63300b874cb317d14924ebd971c49c04 to your computer and use it in GitHub Desktop.
Pkexec patch to pass-through ALL environment variables as-is (warning: this is insecure and introduces vulnerabilities via environment variables like LD_PRELOAD and LD_LIBRARY_PATH)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From ebfa88955c5cee76bbf6d726209c155f08e27c46 Mon Sep 17 00:00:00 2001 | |
From: ItsProfessional <63961221+ItsProfessional@users.noreply.github.com> | |
Date: Tue, 16 May 2023 18:27:04 +0530 | |
Subject: [PATCH] keep all environment variables in pkexec | |
--- | |
src/programs/pkexec.c | 55 +++++-------------------------------------- | |
1 file changed, 6 insertions(+), 49 deletions(-) | |
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c | |
index 98aa151..4b3d8f7 100644 | |
--- a/src/programs/pkexec.c | |
+++ b/src/programs/pkexec.c | |
@@ -419,7 +419,7 @@ validate_environment_variable (const gchar *key, | |
key); | |
g_printerr ("\n" | |
"This incident has been reported.\n"); | |
- goto out; | |
+ // goto out; | |
} | |
ret = TRUE; | |
@@ -453,37 +453,7 @@ main (int argc, char *argv[]) | |
struct passwd pwstruct; | |
gchar pwbuf[8192]; | |
gchar *s; | |
- const gchar *environment_variables_to_save[] = { | |
- "SHELL", | |
- "LANG", | |
- "LINGUAS", | |
- "LANGUAGE", | |
- "LC_COLLATE", | |
- "LC_CTYPE", | |
- "LC_MESSAGES", | |
- "LC_MONETARY", | |
- "LC_NUMERIC", | |
- "LC_TIME", | |
- "LC_ALL", | |
- "TERM", | |
- "COLORTERM", | |
- | |
- /* By default we don't allow running X11 apps, as it does not work in the | |
- * general case. See | |
- * | |
- * https://bugs.freedesktop.org/show_bug.cgi?id=17970#c26 | |
- * | |
- * and surrounding comments for a lot of discussion about this. | |
- * | |
- * However, it can be enabled for some selected and tested legacy programs | |
- * which previously used e. g. gksu, by setting the | |
- * org.freedesktop.policykit.exec.allow_gui annotation to a nonempty value. | |
- * See https://bugs.freedesktop.org/show_bug.cgi?id=38769 for details. | |
- */ | |
- "DISPLAY", | |
- "XAUTHORITY", | |
- NULL | |
- }; | |
+ gchar** environment_variables_to_save = g_listenv(); | |
GPtrArray *saved_env; | |
gchar *opt_user; | |
pid_t pid_of_caller; | |
@@ -909,20 +879,6 @@ main (int argc, char *argv[]) | |
goto out; | |
} | |
- /* Set PATH to a safe list */ | |
- g_ptr_array_add (saved_env, g_strdup ("PATH")); | |
- if (pw->pw_uid != 0) | |
- s = g_strdup_printf ("/usr/bin:/bin:/usr/sbin:/sbin:%s/bin", pw->pw_dir); | |
- else | |
- s = g_strdup_printf ("/usr/sbin:/usr/bin:/sbin:/bin:%s/bin", pw->pw_dir); | |
- g_ptr_array_add (saved_env, s); | |
- g_ptr_array_add (saved_env, g_strdup ("LOGNAME")); | |
- g_ptr_array_add (saved_env, g_strdup (pw->pw_name)); | |
- g_ptr_array_add (saved_env, g_strdup ("USER")); | |
- g_ptr_array_add (saved_env, g_strdup (pw->pw_name)); | |
- g_ptr_array_add (saved_env, g_strdup ("HOME")); | |
- g_ptr_array_add (saved_env, g_strdup (pw->pw_dir)); | |
- | |
s = g_strdup_printf ("%d", getuid ()); | |
g_ptr_array_add (saved_env, g_strdup ("PKEXEC_UID")); | |
g_ptr_array_add (saved_env, s); | |
@@ -934,9 +890,10 @@ main (int argc, char *argv[]) | |
const gchar *value = saved_env->pdata[n + 1]; | |
/* Only set $DISPLAY and $XAUTHORITY when explicitly allowed in the .policy */ | |
- if (!allow_gui && | |
- (strcmp (key, "DISPLAY") == 0 || strcmp (key, "XAUTHORITY") == 0)) | |
- continue; | |
+ // patchers note: we passthrough all environment variables anyway, so why not pass these aswell | |
+ // if (!allow_gui && | |
+ // (strcmp (key, "DISPLAY") == 0 || strcmp (key, "XAUTHORITY") == 0)) | |
+ // continue; | |
if (!g_setenv (key, value, TRUE)) | |
{ | |
-- | |
2.40.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment