pager: set $LESSSECURE whenver we invoke a pager

Some extra safety when invoked via "sudo". With this we address a
genuine design flaw of sudo, and we shouldn't need to deal with this.
But it's still a good idea to disable this surface given how exotic it
is.

Prompted by #5666

diff --git a/man/less-variables.xml b/man/less-variables.xml
index 08e513c99f8e9d52f5db5dfc0ec988bc0337f856..c52511ca8e1842c873dc29a6bfe9913a9ef4e564 100644 (file)
--- a/man/less-variables.xml
+++ b/man/less-variables.xml
@@ -64,6 +64,15 @@
       the invoking terminal is determined to be UTF-8 compatible).</para></listitem>
     </varlistentry>
 
+    <varlistentry id='lesssecure'>
+      <term><varname>$SYSTEMD_LESSSECURE</varname></term>
+
+      <listitem><para>Takes a boolean argument. Overrides the <varname>$LESSSECURE</varname> environment
+      variable when invoking the pager, which controls the "secure" mode of less (which disables commands
+      such as <literal>|</literal> which allow to easily shell out to external command lines). By default
+      less secure mode is enabled, with this setting it may be disabled.</para></listitem>
+    </varlistentry>
+
     <varlistentry id='colors'>
       <term><varname>$SYSTEMD_COLORS</varname></term>
 

diff --git a/man/systemctl.xml b/man/systemctl.xml
index 1c5502883700e73d8427096fcc886e21f6854e19..a3f0c3041a5707e93b45565b2022f7029534df30 100644 (file)
--- a/man/systemctl.xml
+++ b/man/systemctl.xml
@@ -2240,6 +2240,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
     <xi:include href="less-variables.xml" xpointer="pager"/>
     <xi:include href="less-variables.xml" xpointer="less"/>
     <xi:include href="less-variables.xml" xpointer="lesscharset"/>
+    <xi:include href="less-variables.xml" xpointer="lesssecure"/>
     <xi:include href="less-variables.xml" xpointer="colors"/>
     <xi:include href="less-variables.xml" xpointer="urlify"/>
   </refsect1>

diff --git a/man/systemd.xml b/man/systemd.xml
index a9040545c2ab6181998ba781912a86c550b5ca6a..c92cfef77689913cccd665872381e8638bc17c5c 100644 (file)
--- a/man/systemd.xml
+++ b/man/systemd.xml
@@ -692,6 +692,7 @@
       <xi:include href="less-variables.xml" xpointer="pager"/>
       <xi:include href="less-variables.xml" xpointer="less"/>
       <xi:include href="less-variables.xml" xpointer="lesscharset"/>
+      <xi:include href="less-variables.xml" xpointer="lesssecure"/>
       <xi:include href="less-variables.xml" xpointer="colors"/>
       <xi:include href="less-variables.xml" xpointer="urlify"/>
 

diff --git a/src/shared/pager.c b/src/shared/pager.c
index e03be6d23b2d7f24264412881b65f889fd607c3f..9c21881241f5ff7dff33decab1c4372329785521 100644 (file)
--- a/src/shared/pager.c
+++ b/src/shared/pager.c
@@ -9,6 +9,7 @@
 #include <unistd.h>
 
 #include "copy.h"
+#include "env-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "io-util.h"
@@ -152,8 +153,7 @@ int pager_open(PagerFlags flags) {
                         _exit(EXIT_FAILURE);
                 }
 
-                /* Initialize a good charset for less. This is
-                 * particularly important if we output UTF-8
+                /* Initialize a good charset for less. This is particularly important if we output UTF-8
                  * characters. */
                 less_charset = getenv("SYSTEMD_LESSCHARSET");
                 if (!less_charset && is_locale_utf8())
@@ -164,6 +164,25 @@ int pager_open(PagerFlags flags) {
                         _exit(EXIT_FAILURE);
                 }
 
+                /* People might invoke us from sudo, don't needlessly allow less to be a way to shell out
+                 * privileged stuff. */
+                r = getenv_bool("SYSTEMD_LESSSECURE");
+                if (r == 0) { /* Remove env var if off */
+                        if (unsetenv("LESSSECURE") < 0) {
+                                log_error_errno(errno, "Failed to uset environment variable LESSSECURE: %m");
+                                _exit(EXIT_FAILURE);
+                        }
+                } else {
+                        /* Set env var otherwise */
+                        if (r < 0)
+                                log_warning_errno(r, "Unable to parse $SYSTEMD_LESSSECURE, ignoring: %m");
+
+                        if (setenv("LESSSECURE", "1", 1) < 0) {
+                                log_error_errno(errno, "Failed to set environment variable LESSSECURE: %m");
+                                _exit(EXIT_FAILURE);
+                        }
+                }
+
                 if (pager_args) {
                         r = loop_write(exe_name_pipe[1], pager_args[0], strlen(pager_args[0]) + 1, false);
                         if (r < 0) {