Pkexec patch to pass-through ALL environment variables as-is (warning: this is insecure and introduces vulnerabilities via environment variables like LD_PRELOAD and LD_LIBRARY_PATH)

keepenv.patch

From ebfa88955c5cee76bbf6d726209c155f08e27c46 Mon Sep 17 00:00:00 2001
From: ItsProfessional <63961221+ItsProfessional@users.noreply.github.com>
Date: Tue, 16 May 2023 18:27:04 +0530
Subject: [PATCH] keep all environment variables in pkexec

---
 src/programs/pkexec.c | 55 +++++--------------------------------------
 1 file changed, 6 insertions(+), 49 deletions(-)

diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 98aa151..4b3d8f7 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -419,7 +419,7 @@ validate_environment_variable (const gchar *key,
                    key);
       g_printerr ("\n"
                   "This incident has been reported.\n");
-      goto out;
+      // goto out;
     }
 
   ret = TRUE;
@@ -453,37 +453,7 @@ main (int argc, char *argv[])
   struct passwd pwstruct;
   gchar pwbuf[8192];
   gchar *s;
-  const gchar *environment_variables_to_save[] = {
-    "SHELL",
-    "LANG",
-    "LINGUAS",
-    "LANGUAGE",
-    "LC_COLLATE",
-    "LC_CTYPE",
-    "LC_MESSAGES",
-    "LC_MONETARY",
-    "LC_NUMERIC",
-    "LC_TIME",
-    "LC_ALL",
-    "TERM",
-    "COLORTERM",
-
-    /* By default we don't allow running X11 apps, as it does not work in the
-     * general case. See
-     *
-     *  https://bugs.freedesktop.org/show_bug.cgi?id=17970#c26
-     *
-     * and surrounding comments for a lot of discussion about this.
-     *
-     * However, it can be enabled for some selected and tested legacy programs
-     * which previously used e. g. gksu, by setting the
-     * org.freedesktop.policykit.exec.allow_gui annotation to a nonempty value.
-     * See https://bugs.freedesktop.org/show_bug.cgi?id=38769 for details.
-     */
-    "DISPLAY",
-    "XAUTHORITY",
-    NULL
-  };
+  gchar** environment_variables_to_save = g_listenv();
   GPtrArray *saved_env;
   gchar *opt_user;
   pid_t pid_of_caller;
@@ -909,20 +879,6 @@ main (int argc, char *argv[])
       goto out;
     }
 
-  /* Set PATH to a safe list */
-  g_ptr_array_add (saved_env, g_strdup ("PATH"));
-  if (pw->pw_uid != 0)
-    s = g_strdup_printf ("/usr/bin:/bin:/usr/sbin:/sbin:%s/bin", pw->pw_dir);
-  else
-    s = g_strdup_printf ("/usr/sbin:/usr/bin:/sbin:/bin:%s/bin", pw->pw_dir);
-  g_ptr_array_add (saved_env, s);
-  g_ptr_array_add (saved_env, g_strdup ("LOGNAME"));
-  g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
-  g_ptr_array_add (saved_env, g_strdup ("USER"));
-  g_ptr_array_add (saved_env, g_strdup (pw->pw_name));
-  g_ptr_array_add (saved_env, g_strdup ("HOME"));
-  g_ptr_array_add (saved_env, g_strdup (pw->pw_dir));
-
   s = g_strdup_printf ("%d", getuid ());
   g_ptr_array_add (saved_env, g_strdup ("PKEXEC_UID"));
   g_ptr_array_add (saved_env, s);
@@ -934,9 +890,10 @@ main (int argc, char *argv[])
       const gchar *value = saved_env->pdata[n + 1];
 
       /* Only set $DISPLAY and $XAUTHORITY when explicitly allowed in the .policy */
-      if (!allow_gui &&
-              (strcmp (key, "DISPLAY") == 0 || strcmp (key, "XAUTHORITY") == 0))
-          continue;
+      // patchers note: we passthrough all environment variables anyway, so why not pass these aswell
+      // if (!allow_gui &&
+      //         (strcmp (key, "DISPLAY") == 0 || strcmp (key, "XAUTHORITY") == 0))
+      //     continue;
 
       if (!g_setenv (key, value, TRUE))
         {
-- 
2.40.1