diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-08-16 16:41:34 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-08-17 13:17:44 +0200 |
commit | 7a6abbe93762fe23d415144ae7a040df3266bb5f (patch) | |
tree | 3c241ce87c245becbe36b6e3f1b366b32f2f6461 | |
parent | 8b474a437ce980bd0909db59141b40d56f6d5688 (diff) | |
download | systemd-7a6abbe93762fe23d415144ae7a040df3266bb5f.tar.gz |
env-util: add unsetenv_erase() helper
Let's unify how we remove secrets from the env block.
-rw-r--r-- | src/basic/env-util.c | 17 | ||||
-rw-r--r-- | src/basic/env-util.h | 2 | ||||
-rw-r--r-- | src/cryptenroll/cryptenroll-password.c | 4 | ||||
-rw-r--r-- | src/cryptenroll/cryptenroll.c | 4 | ||||
-rw-r--r-- | src/cryptsetup/cryptsetup-fido2.c | 5 | ||||
-rw-r--r-- | src/home/homectl.c | 11 | ||||
-rw-r--r-- | src/shared/pkcs11-util.c | 5 | ||||
-rw-r--r-- | src/test/test-env-util.c | 47 |
8 files changed, 77 insertions, 18 deletions
diff --git a/src/basic/env-util.c b/src/basic/env-util.c index cb49125644..b42ca50b25 100644 --- a/src/basic/env-util.c +++ b/src/basic/env-util.c @@ -870,3 +870,20 @@ int getenv_path_list(const char *name, char ***ret_paths) { *ret_paths = TAKE_PTR(l); return 1; } + +int unsetenv_erase(const char *name) { + char *p; + + assert(name); + + p = getenv(name); + if (!p) + return 0; + + string_erase(p); + + if (unsetenv(name) < 0) + return -errno; + + return 1; +} diff --git a/src/basic/env-util.h b/src/basic/env-util.h index bee284b168..38bfc8a3f2 100644 --- a/src/basic/env-util.h +++ b/src/basic/env-util.h @@ -68,3 +68,5 @@ int setenv_systemd_exec_pid(bool update_only); /* Parses and does sanity checks on an environment variable containing * PATH-like colon-separated absolute paths */ int getenv_path_list(const char *name, char ***ret_paths); + +int unsetenv_erase(const char *name); diff --git a/src/cryptenroll/cryptenroll-password.c b/src/cryptenroll/cryptenroll-password.c index 0314831174..1775912d8e 100644 --- a/src/cryptenroll/cryptenroll-password.c +++ b/src/cryptenroll/cryptenroll-password.c @@ -2,6 +2,7 @@ #include "ask-password-api.h" #include "cryptenroll-password.h" +#include "env-util.h" #include "escape.h" #include "memory-util.h" #include "pwquality-util.h" @@ -27,8 +28,7 @@ int enroll_password( if (!new_password) return log_oom(); - string_erase(e); - assert_se(unsetenv("NEWPASSWORD") == 0); + assert_se(unsetenv_erase("NEWPASSWORD") >= 0); } else { _cleanup_free_ char *disk_path = NULL; diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index f2e194e88c..cf99aab96d 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -12,6 +12,7 @@ #include "cryptenroll-wipe.h" #include "cryptenroll.h" #include "cryptsetup-util.h" +#include "env-util.h" #include "escape.h" #include "libfido2-util.h" #include "main-func.h" @@ -426,8 +427,7 @@ static int prepare_luks( if (!password) return log_oom(); - string_erase(e); - assert_se(unsetenv("PASSWORD") >= 0); + assert_se(unsetenv_erase("PASSWORD") >= 0); r = crypt_volume_key_get( cd, diff --git a/src/cryptsetup/cryptsetup-fido2.c b/src/cryptsetup/cryptsetup-fido2.c index dfaded3cdb..74b6bff1aa 100644 --- a/src/cryptsetup/cryptsetup-fido2.c +++ b/src/cryptsetup/cryptsetup-fido2.c @@ -2,6 +2,7 @@ #include "ask-password-api.h" #include "cryptsetup-fido2.h" +#include "env-util.h" #include "fileio.h" #include "hexdecoct.h" #include "json.h" @@ -70,9 +71,7 @@ int acquire_fido2_key( if (!pins) return log_oom(); - string_erase(e); - if (unsetenv("PIN") < 0) - return log_error_errno(errno, "Failed to unset $PIN: %m"); + assert_se(unsetenv_erase("PIN") >= 0); } for (;;) { diff --git a/src/home/homectl.c b/src/home/homectl.c index a4c0a47ce5..66e1467d1a 100644 --- a/src/home/homectl.c +++ b/src/home/homectl.c @@ -215,9 +215,7 @@ static int acquire_existing_password( if (r < 0) return log_error_errno(r, "Failed to store password: %m"); - string_erase(e); - assert_se(unsetenv("PASSWORD") == 0); - + assert_se(unsetenv_erase("PASSWORD") >= 0); return 1; } @@ -273,9 +271,7 @@ static int acquire_token_pin( if (r < 0) return log_error_errno(r, "Failed to store token PIN: %m"); - string_erase(e); - assert_se(unsetenv("PIN") == 0); - + assert_se(unsetenv_erase("PIN") >= 0); return 1; } @@ -1097,8 +1093,7 @@ static int acquire_new_password( if (r < 0) return log_error_errno(r, "Failed to store password: %m"); - string_erase(e); - assert_se(unsetenv("NEWPASSWORD") == 0); + assert_se(unsetenv_erase("NEWPASSWORD") >= 0); if (ret) *ret = TAKE_PTR(copy); diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c index 9fc577ca3c..ff3f245699 100644 --- a/src/shared/pkcs11-util.c +++ b/src/shared/pkcs11-util.c @@ -3,6 +3,7 @@ #include <fcntl.h> #include "ask-password-api.h" +#include "env-util.h" #include "escape.h" #include "fd-util.h" #include "format-table.h" @@ -245,9 +246,7 @@ int pkcs11_token_login( if (!passwords) return log_oom(); - string_erase(e); - if (unsetenv("PIN") < 0) - return log_error_errno(errno, "Failed to unset $PIN: %m"); + assert_se(unsetenv_erase("PIN") >= 0); } else if (headless) return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the 'PIN' environment variable."); else { diff --git a/src/test/test-env-util.c b/src/test/test-env-util.c index c689d5590e..0e4b832ba8 100644 --- a/src/test/test-env-util.c +++ b/src/test/test-env-util.c @@ -428,6 +428,52 @@ static void test_setenv_systemd_exec_pid(void) { assert_se(set_unset_env("SYSTEMD_EXEC_PID", saved, 1) >= 0); } +static void test_unsetenv_erase(void) { + int r; + + log_info("/* %s */", __func__); + + r = safe_fork("(sd-unsetenverase)", FORK_DEATHSIG|FORK_LOG|FORK_WAIT, NULL); + if (r == 0) { + _cleanup_strv_free_ char **l = NULL; + char **e; + + /* child */ + + assert_se(unsetenv_erase("thisenvvardefinitelywontexist") == 0); + + l = strv_new("FOO=BAR", "QUUX=PIFF", "ONE=TWO", "A=B"); + assert_se(strv_length(l) == 4); + + environ = l; + + STRV_FOREACH(e, environ) { + _cleanup_free_ char *n = NULL; + char *eq; + + eq = strchr(*e, '='); + if (!eq) + continue; + + n = strndup(*e, eq - *e); + assert_se(n); + + assert_se(streq_ptr(getenv(n), eq + 1)); + assert_se(getenv(n) == eq + 1); + assert_se(unsetenv_erase(n) > 0); + assert_se(isempty(eq + 1)); + assert_se(!getenv(n)); + } + + environ = NULL; + l = strv_free(l); + + _exit(EXIT_SUCCESS); + } + + assert_se(r > 0); +} + int main(int argc, char *argv[]) { test_setup_logging(LOG_DEBUG); @@ -451,6 +497,7 @@ int main(int argc, char *argv[]) { test_env_assignment_is_valid(); test_putenv_dup(); test_setenv_systemd_exec_pid(); + test_unsetenv_erase(); return 0; } |