From 0ba24952f58f21ff89b726eaf02d847f0fee28d1 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Tue, 13 Feb 2024 12:47:53 +0800
Subject: [PATCH] core/manager: don't propagate manager session env to children

Follow-up for 4cb4e6cf6dce2b66dcb59a8534aa6ca885e2f732

Fixes #31287
---
 src/core/manager.c      | 14 +++++++++++++-
 src/login/pam_systemd.c |  3 +++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/core/manager.c b/src/core/manager.c
index c17bd5c8df7..e8c747d96d9 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -667,7 +667,9 @@ int manager_default_environment(Manager *m) {
                 /* Import locale variables LC_*= from configuration */
                 (void) locale_setup(&m->transient_environment);
         } else {
-                /* The user manager passes its own environment along to its children, except for $PATH. */
+                /* The user manager passes its own environment along to its children, except for $PATH and
+                 * session envs. */
+
                 m->transient_environment = strv_copy(environ);
                 if (!m->transient_environment)
                         return log_oom();
@@ -675,6 +677,16 @@ int manager_default_environment(Manager *m) {
                 r = strv_env_replace_strdup(&m->transient_environment, "PATH=" DEFAULT_USER_PATH);
                 if (r < 0)
                         return log_oom();
+
+                /* Envvars set for our 'manager' class session are private and should not be propagated
+                 * to children. Also it's likely that the graphical session will set these on their own. */
+                strv_env_unset_many(m->transient_environment,
+                                    "XDG_SESSION_ID",
+                                    "XDG_SESSION_CLASS",
+                                    "XDG_SESSION_TYPE",
+                                    "XDG_SESSION_DESKTOP",
+                                    "XDG_SEAT",
+                                    "XDG_VTNR");
         }
 
         sanitize_environment(m->transient_environment);
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
index 0e67d063a4c..9aa298c6542 100644
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -1150,6 +1150,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                          "id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u original_uid=%u",
                          id, object_path, runtime_path, session_fd, seat, vtnr, original_uid);
 
+        /* Please update manager_default_environment() in core/manager.c accordingly if more session envvars
+         * shall be added. */
+
         r = update_environment(handle, "XDG_SESSION_ID", id);
         if (r != PAM_SUCCESS)
                 return r;
-- 
2.39.2