From 23f4ee4359d10f66e1938ce6b1d92d3cc77865ff Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 20 Nov 2013 11:58:22 -0500
Subject: Use secure_getenv in client and mechglue module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

proxymehc.so may be used in setuid binaries so follow best security
practices and use secure_getenv() if available.
Fallback to poorman emulation when secure_getenv() is not available.

Resolves: https://fedorahosted.org/gss-proxy/ticket/110

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
---
 proxy/src/gp_util.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'proxy/src/gp_util.c')

diff --git a/proxy/src/gp_util.c b/proxy/src/gp_util.c
index 8400da1..a6c870f 100644
--- a/proxy/src/gp_util.c
+++ b/proxy/src/gp_util.c
@@ -23,8 +23,10 @@
    DEALINGS IN THE SOFTWARE.
 */
 
+#include "config.h"
 #include <stdbool.h>
 #include <string.h>
+#include <stdlib.h>
 
 bool gp_same(const char *a, const char *b)
 {
@@ -46,3 +48,21 @@ bool gp_boolean_is_true(const char *s)
 
     return false;
 }
+
+char *gp_getenv(const char *name)
+{
+#if HAVE_SECURE_GETENV
+    return secure_getenv(name);
+#elif HAVE___SECURE_GETENV
+    return __secure_getenv(name);
+#else
+#include <unistd.h>
+#include <sys/types.h>
+#warning secure_getenv not available, falling back to poorman emulation
+    if ((getuid() == geteuid()) &&
+        (getgid() == getegid())) {
+        return getenv(name);
+    }
+    return NULL;
+#endif
+}
-- 
cgit