Add secure_getenv.c

cf/roken-frag.m4

@@ -195,6 +195,7 @@ AC_CHECK_FUNCS([				\
 	on_exit					\
 	poll					\
 	random					\
+	secure_getenv				\
 	setprogname				\
 	strsvis					\
 	strsvisx				\

lib/roken/Makefile.am

@@ -118,6 +118,8 @@ libroken_la_SOURCES =		\
 	roken_gethostby.c	\
 	rtbl.c			\
 	rtbl.h			\
+	secure_getenv.c		\
+	secure_getenv.h		\
 	setprogname.c		\
 	signal.c		\
 	simple_exec.c		\

lib/roken/NTMakefile

@@ -86,6 +86,7 @@ libroken_la_OBJS =			\
 	$(OBJ)\rand.obj			\
 	$(OBJ)\roken_gethostby.obj	\
 	$(OBJ)\rtbl.obj			\
+	$(OBJ)\secure_getenv.obj	\
 	$(OBJ)\sendmsg.obj		\
 	$(OBJ)\setenv.obj		\
 	$(OBJ)\setprogname.obj		\

lib/roken/roken.h.in

@@ -833,6 +833,14 @@ ROKEN_LIB_FUNCTION unsigned long ROKEN_LIB_CALL
 ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
     issuid(void);
 
+ROKEN_LIB_FUNCTION char * ROKEN_LIB_CALL
+    rk_secure_getenv(const char *);
+
+#ifndef HAVE_SECURE_GETENV
+#undef secure_getenv
+#define secure_getenv(e) rk_secure_getenv(e)
+#endif
+
 #ifndef HAVE_STRUCT_WINSIZE
 struct winsize {
 	unsigned short ws_row, ws_col;

lib/roken/secure_getenv.c

@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2017 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#include <errno.h>
+
+#include "roken.h"
+#include "secure_getenv.h"
+
+ROKEN_LIB_FUNCTION char * ROKEN_LIB_CALL
+rk_secure_getenv(const char *name)
+{
+    if (issuid())
+        return NULL;
+    return getenv(name);
+}

lib/roken/secure_getenv.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2017 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+ROKEN_LIB_FUNCTION char * ROKEN_LIB_CALL
+    rk_secure_getenv(const char *);
+
+#ifndef HAVE_SECURE_GETENV
+#undef secure_getenv
+#define secure_getenv(e) rk_secure_getenv(e)
+#endif

lib/roken/test-auxval.c

@@ -43,6 +43,27 @@
 #include "roken.h"
 #include "getauxval.h"
 
+static void
+check_secure_getenv(char **env)
+{
+    size_t i;
+    char *v;
+
+    for (i = 0; environ[i] != NULL; i++) {
+        if (strchr(environ[i], '=') == NULL)
+            continue;
+        if ((v = strdup(env[i])) == NULL)
+            err(1, "could not allocate copy of %s", env[i]);
+        *strchr(v, '=') = '\0';
+        if (issuid() && rk_secure_getenv(v) != NULL)
+            err(1, "rk_secure_getenv() returned non-NULL when issuid()!");
+        if (!issuid() && rk_secure_getenv(v) == NULL)
+            err(1, "rk_secure_getenv() returned NULL when !issuid()");
+        free(v);
+        return;
+    }
+}
+
 static void
 inject_suid(int suid)
 {
@@ -188,9 +209,11 @@ main(int argc, char **argv, char **env)
         errx(1, "rk_getauxv((max_type_seen = %lu) + 1) did not set "
              "errno = ENOENT!", max_t);
 
+    check_secure_getenv(env);
     inject_suid(!am_suid);
     if ((am_suid && issuid()) || (!am_suid && !issuid()))
         errx(1, "rk_injectprocauxv() failed");
+    check_secure_getenv(env);
 
     return 0;
 }

lib/roken/version-script.map

@@ -95,6 +95,7 @@ HEIMDAL_ROKEN_1.0 {
 		rk_read_environment;
 		rk_readv;
 		rk_realloc;
+		rk_secure_getenv;
 		rk_strerror;
 		rk_strerror_r;
 		rk_setprogname;