only use SQFSMNT_FWD_ prefix for setuid vars - so that PATH etc are s…

…et when squashfs-mount is called
eth-cscs · Oct 16, 2024 · 03effa7 · 03effa7
1 parent da95476
commit 03effa7
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 1 deletion.
diff --git a/src/uenv/env.cpp b/src/uenv/env.cpp
@@ -355,11 +355,53 @@ std::unordered_map<std::string, std::string> getenv(const env& environment) {
     return env_vars;
 }
 
+// list of environment variables that are ignored in setuid applications
+// the full list is defined here:
+//      https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/generic/unsecvars.h
+std::set<std::string_view> unsecure_envvars__{
+    "GCONV_PATH",
+    "GETCONF_DIR",
+    "GLIBC_TUNABLES",
+    "HOSTALIASES",
+    "LD_AUDIT",
+    "LD_BIND_NOT",
+    "LD_BIND_NOW",
+    "LD_DEBUG",
+    "LD_DEBUG_OUTPUT",
+    "LD_DYNAMIC_WEAK",
+    "LD_LIBRARY_PATH",
+    "LD_ORIGIN_PATH",
+    "LD_PRELOAD",
+    "LD_PROFILE",
+    "LD_SHOW_AUXV",
+    "LD_VERBOSE",
+    "LD_WARN",
+    "LOCALDOMAIN",
+    "LOCPATH",
+    "MALLOC_ARENA_MAX",
+    "MALLOC_ARENA_TEST",
+    "MALLOC_MMAP_MAX_",
+    "MALLOC_MMAP_THRESHOLD_",
+    "MALLOC_PERTURB_",
+    "MALLOC_TOP_PAD_",
+    "MALLOC_TRACE",
+    "MALLOC_TRIM_THRESHOLD_",
+    "NIS_PATH",
+    "NLSPATH",
+    "RESOLV_HOST_CONF",
+    "RES_OPTIONS",
+    "TMPDIR",
+};
+
 util::expected<int, std::string>
 setenv(const std::unordered_map<std::string, std::string>& variables,
        const std::string& prefix) {
     for (auto var : variables) {
-        std::string fwd_name = prefix + var.first;
+        // prepend prefix to unsecure environment variables
+        std::string fwd_name = unsecure_envvars__.contains(var.first)
+                                   ? prefix + var.first
+                                   : var.first;
+        fmt::println("setting {} to {}", fwd_name, var.second);
         if (auto rcode = ::setenv(fwd_name.c_str(), var.second.c_str(), true)) {
             switch (rcode) {
             case EINVAL:
@@ -372,6 +414,7 @@ setenv(const std::unordered_map<std::string, std::string>& variables,
                     fmt::format("unknown error setting {}", fwd_name));
             }
         }
+        fmt::println("set!");
     }
     return 0;
 }

diff --git a/test/integration/cli.bats b/test/integration/cli.bats
@@ -154,3 +154,37 @@ function teardown() {
     assert_failure
     assert_line --partial "Permission denied"
 }
+
+@test "run" {
+    export UENV_REPO_PATH=$REPOS/apptool
+
+    #
+    # check that run looks up images in the repo and mounts at the correct location
+    #
+    run uenv run tool -- ls /user-tools
+    assert_success
+    assert_output --regexp "meta"
+
+    run uenv run app/42.0:v1 -- ls /user-environment
+    assert_success
+    assert_output --regexp "meta"
+
+    #
+    # check --view
+    #
+    run uenv run --view=tool tool -- tool
+    assert_success
+    assert_output "hello tool"
+
+    run uenv run --view=app app/42.0:v1 -- app
+    assert_success
+    assert_output "hello app"
+
+    #
+    # check --view works when reading meta data from inside a standalone sqfs file
+    #
+
+    run uenv run --view=tool $SQFS_LIB/apptool/standalone/tool.squashfs -- tool
+    assert_success
+    assert_output "hello tool"
+}