Add a -E option, exposing all environment variables (LP: #2039093).

1 year ago · 46d06f9171
parent d81b1c7857
commit 46d06f9171
3 changed files with 87 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+lxqt-sudo (1.3.0-0ubuntu1.1) mantic; urgency=medium
+
+  * Add a -E option, exposing all environment variables (LP: #2039093).
+
+ -- Simon Quigley <tsimonq2@ubuntu.com>  Wed, 11 Oct 2023 12:02:21 -0500
+
 lxqt-sudo (1.3.0-0ubuntu1) mantic; urgency=medium

  * New upstream release.
--- a/debian/patches/bypass-envvar-allowlist.patch
+++ b/debian/patches/bypass-envvar-allowlist.patch
@ -0,0 +1,80 @@
+Description: Add a -E option, exposing all environment variables
+ Some system tools (such as ubuntu-release-upgrader) read XDG* (etc.), so allow the user to opt-in to preserving those.
+Author: Simon Quigley <tsimonq2@lubuntu.me>
+Origin: upstream
+Forwarded: https://github.com/lxqt/lxqt-sudo/pull/204
+Last-Update: 2023-10-11
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/sudo.cpp
+++ b/sudo.cpp
+@@ -83,6 +83,7 @@ namespace
+                     "    -s|--su        Use %3(1) as backend.\n"
+                     "    -d|--sudo      Use %2(8) as backend.\n"
+                     "    -a|--doas      Use %4(1) as backend.\n"
+                    "    -E|--keep-env  Preserve all existing environment variables.\n"
+                     "  command          Command to run.\n"
+                     "  arguments        Optional arguments for command.\n\n").arg(app_master).arg(sudo_prog).arg(su_prog).arg(doas_prog);
+         if (!err.isEmpty())
+@@ -113,8 +114,13 @@ namespace
+     };
+     assert_helper h;
+ 
+-    inline std::string env_workarounds()
+    inline std::string env_workarounds(bool preserveEnv)
+     {
+        if (preserveEnv) {
+            std::cerr << LXQTSUDO << ": Preserving all environment variables.\n";
+            return "";
+        }
+
+         std::cerr << LXQTSUDO << ": Stripping child environment except for: ";
+         std::ostringstream left_env_params;
+         std::copy(ALLOWED_VARS, ALLOWED_END - 1, std::ostream_iterator<const char *>{left_env_params, ","});
+@@ -195,6 +201,10 @@ int Sudo::main()
+         {
+             mBackend = BACK_DOAS;
+             mArgs.removeAt(0);
+        } else if (QStringLiteral("-E") == arg1 || QStringLiteral("--keep-env") == arg1)
+        {
+            mPreserveEnv = true;
+            mArgs.removeAt(0);
+         }
+     }
+     //any other arguments we simply forward to su/sudo
+@@ -286,11 +296,11 @@ void Sudo::child()
+     switch (mBackend)
+     {
+         case BACK_SUDO:
+-            preserve_env_param = "--preserve-env=";
+-
+-            preserve_env_param += env_workarounds();
+-
+-            *(param_arg++) = preserve_env_param.c_str(); //preserve environment
+            if(!mPreserveEnv) {
+                preserve_env_param = "--preserve-env=";
+                preserve_env_param += env_workarounds(mPreserveEnv);
+                *(param_arg++) = preserve_env_param.c_str(); //preserve environment
+            }
+             *(param_arg++) = "/bin/sh";
+             break;
+         case BACK_DOAS:
+@@ -298,7 +308,7 @@ void Sudo::child()
+             [[fallthrough]];
+         case BACK_SU:
+         case BACK_NONE:
+-            env_workarounds();
+            env_workarounds(mPreserveEnv);
+             break;
+ 
+     }
+--- a/sudo.h
+++ b/sudo.h
+@@ -81,6 +81,7 @@ private:
+     int mChildPid;
+     int mPwdFd;
+     int mRet;
+    bool mPreserveEnv = false;
+ };
+ 
+ #endif //SUDO_H
--- a/debian/patches/series
+++ b/debian/patches/series
@ -0,0 +1 @@
+bypass-envvar-allowlist.patch