[Bug 256233] security/doas: target user's login class gets ignored

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 01 Jun 2021 14:20:33 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256233

--- Comment #7 from jsmith_at_resonatingmedia.com ---
I think preserving LANG probably makes sense, keeping the original caller's
language settings. This probably got overlooked before since (as you pointed
out) OpenBSD doesn't define LANG in login.conf and I never have LANG set on my
FreeBSD machine. So it wasn't addressed originally in the code and it wouldn't
have come up when I was porting.

I'll look at preserving LANG, like HOME and and SHELL, as a special variable.
Off the top of my head, I don't think LANG can be used to do much harm.
Technically, I suppose, there is a way to mess with something in another
person's home directory using LANG, but if we have doas access to someone
else's HOME then there are easier ways to cause mayhem.

The PATH is hard coded on all platforms of the port at compile time. I think
originally OpenBSD's version hard coded the PATH right in a header file and it
wasn't changeable at build time without patching the code. (I may be mistaken,
but that is how I think it was set up.) Since each platform might use a
slightly different default PATH this was edited to allow easier build-time
changes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Tue Jun 01 2021 - 14:20:33 UTC

Original text of this message