diff --git a/debian/changelog b/debian/changelog index 6d7634f..1a85d06 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lxqt-sudo (1.3.0-0ubuntu1.1) mantic; urgency=medium + + * Add a -E option, exposing all environment variables (LP: #2039093). + + -- Simon Quigley Wed, 11 Oct 2023 12:02:21 -0500 + lxqt-sudo (1.3.0-0ubuntu1) mantic; urgency=medium * New upstream release. diff --git a/debian/patches/bypass-envvar-allowlist.patch b/debian/patches/bypass-envvar-allowlist.patch new file mode 100644 index 0000000..ec6ba59 --- /dev/null +++ b/debian/patches/bypass-envvar-allowlist.patch @@ -0,0 +1,80 @@ +Description: Add a -E option, exposing all environment variables + Some system tools (such as ubuntu-release-upgrader) read XDG* (etc.), so allow the user to opt-in to preserving those. +Author: Simon Quigley +Origin: upstream +Forwarded: https://github.com/lxqt/lxqt-sudo/pull/204 +Last-Update: 2023-10-11 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/sudo.cpp ++++ b/sudo.cpp +@@ -83,6 +83,7 @@ namespace + " -s|--su Use %3(1) as backend.\n" + " -d|--sudo Use %2(8) as backend.\n" + " -a|--doas Use %4(1) as backend.\n" ++ " -E|--keep-env Preserve all existing environment variables.\n" + " command Command to run.\n" + " arguments Optional arguments for command.\n\n").arg(app_master).arg(sudo_prog).arg(su_prog).arg(doas_prog); + if (!err.isEmpty()) +@@ -113,8 +114,13 @@ namespace + }; + assert_helper h; + +- inline std::string env_workarounds() ++ inline std::string env_workarounds(bool preserveEnv) + { ++ if (preserveEnv) { ++ std::cerr << LXQTSUDO << ": Preserving all environment variables.\n"; ++ return ""; ++ } ++ + std::cerr << LXQTSUDO << ": Stripping child environment except for: "; + std::ostringstream left_env_params; + std::copy(ALLOWED_VARS, ALLOWED_END - 1, std::ostream_iterator{left_env_params, ","}); +@@ -195,6 +201,10 @@ int Sudo::main() + { + mBackend = BACK_DOAS; + mArgs.removeAt(0); ++ } else if (QStringLiteral("-E") == arg1 || QStringLiteral("--keep-env") == arg1) ++ { ++ mPreserveEnv = true; ++ mArgs.removeAt(0); + } + } + //any other arguments we simply forward to su/sudo +@@ -286,11 +296,11 @@ void Sudo::child() + switch (mBackend) + { + case BACK_SUDO: +- preserve_env_param = "--preserve-env="; +- +- preserve_env_param += env_workarounds(); +- +- *(param_arg++) = preserve_env_param.c_str(); //preserve environment ++ if(!mPreserveEnv) { ++ preserve_env_param = "--preserve-env="; ++ preserve_env_param += env_workarounds(mPreserveEnv); ++ *(param_arg++) = preserve_env_param.c_str(); //preserve environment ++ } + *(param_arg++) = "/bin/sh"; + break; + case BACK_DOAS: +@@ -298,7 +308,7 @@ void Sudo::child() + [[fallthrough]]; + case BACK_SU: + case BACK_NONE: +- env_workarounds(); ++ env_workarounds(mPreserveEnv); + break; + + } +--- a/sudo.h ++++ b/sudo.h +@@ -81,6 +81,7 @@ private: + int mChildPid; + int mPwdFd; + int mRet; ++ bool mPreserveEnv = false; + }; + + #endif //SUDO_H diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..2e54794 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +bypass-envvar-allowlist.patch