From: Lennart Poettering <lennart@amutable.com>
Date: Fri, 20 Mar 2026 13:00:23 +0000 (+0100)
Subject: shutdown: paranoia, switch to secure_getenv()
X-Git-Tag: v261-rc1~600^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e7182635c6d012b436827746d49cea8963189d50;p=thirdparty%2Fsystemd.git

shutdown: paranoia, switch to secure_getenv()

We have this rule in systemd that unless we are sure that getenv() is
safe and there's a reason to use it we should always prefer
secure_getenv(). Follow our own rules here, as per CODING_STYLE
document.

This really doesn't matter here, all of this is highly privileged, but
hopefully Claude & Colleagues shut up about this then, and maybe detect
the pattern better.
---

diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c
index 73c6dd6d870..83fa8c0b668 100644
--- a/src/shutdown/shutdown.c
+++ b/src/shutdown/shutdown.c
@@ -286,14 +286,14 @@ static void init_watchdog(void) {
         const char *s;
         int r;
 
-        s = getenv("WATCHDOG_DEVICE");
+        s = secure_getenv("WATCHDOG_DEVICE");
         if (s) {
                 r = watchdog_set_device(s);
                 if (r < 0)
-                        log_warning_errno(r, "Failed to set watchdog device to %s, ignoring: %m", s);
+                        log_warning_errno(r, "Failed to set watchdog device to '%s', ignoring: %m", s);
         }
 
-        s = getenv("WATCHDOG_USEC");
+        s = secure_getenv("WATCHDOG_USEC");
         if (s) {
                 usec_t usec;