user-util: extra paranoia, make sure $SHELL can't be fucked with in suid programs

It's better to be safe than sorry, let's not allow overriding of the
user shell in suid binaries. Similar for $USER.

diff --git a/src/basic/user-util.c b/src/basic/user-util.c
index 5f1bd5f5a2000b98d86ce84e765ae556e9a0b484..a479590e479073befe857722ba337853c9ba8911 100644 (file)
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@@ -80,7 +80,7 @@ char* getlogname_malloc(void) {
 char *getusername_malloc(void) {
         const char *e;
 
-        e = getenv("USER");
+        e = secure_getenv("USER");
         if (e)
                 return strdup(e);
 
@@ -514,7 +514,7 @@ int get_shell(char **_s) {
         assert(_s);
 
         /* Take the user specified one */
-        e = getenv("SHELL");
+        e = secure_getenv("SHELL");
         if (e && path_is_valid(e) && path_is_absolute(e)) {
                 s = strdup(e);
                 if (!s)