core/manager: don't propagate manager session env to children

Follow-up for 4cb4e6c Fixes systemd#31287
chunyi-wu · Apr 3, 2024 · 03b1b71 · 03b1b71
1 parent eb77293
commit 03b1b71
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/src/core/manager.c b/src/core/manager.c
@@ -667,14 +667,26 @@ int manager_default_environment(Manager *m) {
                 /* Import locale variables LC_*= from configuration */
                 (void) locale_setup(&m->transient_environment);
         } else {
-                /* The user manager passes its own environment along to its children, except for $PATH. */
+                /* The user manager passes its own environment along to its children, except for $PATH and
+                 * session envs. */
+
                 m->transient_environment = strv_copy(environ);
                 if (!m->transient_environment)
                         return log_oom();
 
                 r = strv_env_replace_strdup(&m->transient_environment, "PATH=" DEFAULT_USER_PATH);
                 if (r < 0)
                         return log_oom();
+
+                /* Envvars set for our 'manager' class session are private and should not be propagated
+                 * to children. Also it's likely that the graphical session will set these on their own. */
+                strv_env_unset_many(m->transient_environment,
+                                    "XDG_SESSION_ID",
+                                    "XDG_SESSION_CLASS",
+                                    "XDG_SESSION_TYPE",
+                                    "XDG_SESSION_DESKTOP",
+                                    "XDG_SEAT",
+                                    "XDG_VTNR");
         }
 
         sanitize_environment(m->transient_environment);

diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
@@ -1150,6 +1150,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                          "id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u original_uid=%u",
                          id, object_path, runtime_path, session_fd, seat, vtnr, original_uid);
 
+        /* Please update manager_default_environment() in core/manager.c accordingly if more session envvars
+         * shall be added. */
+
         r = update_environment(handle, "XDG_SESSION_ID", id);
         if (r != PAM_SUCCESS)
                 return r;