Inheritance of PATH env var

Elliot Bräck Elliot.Braeck at simcorp.com
Thu Sep 12 17:07:51 AWST 2024 

Hi Matt,

Thanks. I'll send in a patch.

Should this behaviour also be changed for the other variables that are overwritten?

- On one hand, if we ask Dropbear to inherit the variables from the calling context, we are probably happy with whatever values they already have -- and if we're not, unsetting them prior to running Dropbear can still be used to cause for the sshd to make up its own opinion as to the correct values of these variables.
- On the other hand, it seems very wrong to allow at least the inheritance of SSH_ variables.

What I've done is simply to make the smallest possible change that fixes my use-case. I tried to have a look at the other variables but I'm not sure how exactly they are used.

Thanks again,
ELLIOT BRÄCK
Software Engineer
Investment, OTC Core, Instruments Modelling

SimCorp A/S
Weidekampsgade 16, 2300 Copenhagen S, Denmark www.simcorp.com Company reg. no. 15505281

-----Original Message-----
From: Matt Johnston <matt at ucc.asn.au>
Sent: Wednesday, September 11, 2024 1:56 PM
To: Elliot Bräck <Elliot.Braeck at simcorp.com>
Cc: dropbear at ucc.asn.au
Subject: Re: Inheritance of PATH env var

Hi Elliot,

I think it was an oversight - the -e flag was added later.

Your proposed behaviour sounds good as a default, it doesn't need to have a flag.
Maybe that could be documented in dropbear.8 and I'll mention in the changelog.

/sbin will probably already be in the path if it's running as root, and otherwise the existing PATH from the parent should be suitable.

Cheers,
Matt

On 2024-09-11 7:34 pm, Elliot Bräck wrote:
> Hi there,
>
> When running dropbear with the flag -e ("Pass on server process
> environment to child process"), I noticed that the PATH variable still
> was not inherited.
>
> This is due to PATH unconditionally being set inside of
> `svr-chansession.c`:
>
> ```c
>         if (getuid() == 0) {
>                 addnewvar("PATH", DEFAULT_ROOT_PATH);
>         } else {
>                 addnewvar("PATH", DEFAULT_PATH);
>         }
> ```
>
> Is this behaviour intentional?
> If not, what should the behaviour be? That if `-e` is set
> (svr_opts.pass_on_env), PATH should only be set to the default value
> if it does not already have a value from the environment?
> If it is, would a patch adding a non-default compile-time flag that
> changes this behaviour be accepted?
>
> My use-case is that I would like to run a dropbear server which
> inherits the PATH environment variable from the executing environment,
> but the value of this environment variable is not known at compile
> time.
>
> Thankful for your input,
>
> ELLIOT BRÄCK
> Software Engineer
> Investment, OTC Core, Instruments Modelling
>
> SimCorp A/S
> Weidekampsgade 16, 2300 Copenhagen S, Denmark www.simcorp.com Company
> reg. no. 15505281
>
>
> This message, and any associated files, is intended only for the use
> of the individual or entity to which it is addressed and may contain
> information that is confidential, privileged, subject to copyright or
> constitute a trade secret. If you are not the intended recipient you
> are hereby notified that any dissemination, copying, or distribution
> of this message or files associated with this message is strictly
> prohibited. If you have received this message in error, please notify
> us immediately or forward this message immediately to
> info at SimCorp.com...
>
> Thank You
> ________________________________

This message, and any associated files, is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged, subject to copyright or constitute a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying, or distribution of this message or files associated with this message is strictly prohibited. If you have received this message in error, please notify us immediately or forward this message immediately to info at SimCorp.com...

Thank You
________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Don-t-overwrite-PATH-if-e-is-set.patch
Type: application/octet-stream
Size: 1603 bytes
Desc: 0001-Don-t-overwrite-PATH-if-e-is-set.patch
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20240912/154ca1ed/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Document-environment-variable-inheritance-in-manpage.patch
Type: application/octet-stream
Size: 1239 bytes
Desc: 0002-Document-environment-variable-inheritance-in-manpage.patch
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20240912/154ca1ed/attachment-0001.obj>

More information about the Dropbear mailing list