Save and restore the http_proxy environment variable

Keeps the environment consistent so other programs using http_proxy after Duo Unix runs will have the right value for that variable
duosecurity · Jul 19, 2016 · f727580 · f727580
1 parent eafe30c
commit f727580
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 2 deletions.
diff --git a/login_duo/login_duo.c b/login_duo/login_duo.c
@@ -110,6 +110,19 @@ _print_motd()
     return (0);
 }
 
+static void
+restore_http_proxy(const char* http_proxy)
+{
+    if (http_proxy != NULL)
+    {
+        setenv("http_proxy", http_proxy, 1);
+    }
+    else
+    {
+        unsetenv("http_proxy");
+    }
+}
+
 static int
 do_auth(struct login_ctx *ctx, const char *cmd)
 {
@@ -119,7 +132,7 @@ do_auth(struct login_ctx *ctx, const char *cmd)
     duo_t *duo;
     duo_code_t code;
     const char *config, *p, *duouser;
-    const char *ip, *host = NULL;
+    const char *ip, *host, *orig_http_proxy = NULL;
     char buf[64];
     int i, flags, ret, prompts, matched;
     int headless = 0;
@@ -186,6 +199,7 @@ do_auth(struct login_ctx *ctx, const char *cmd)
     }
 
     /* Honor configured http_proxy */
+    orig_http_proxy = getenv("http_proxy");
     if (cfg.http_proxy != NULL) {
         setenv("http_proxy", cfg.http_proxy, 1);
     }
@@ -197,6 +211,7 @@ do_auth(struct login_ctx *ctx, const char *cmd)
                     cfg.https_timeout)) == NULL) {
         duo_log(LOG_ERR, "Couldn't open Duo API handle",
             pw->pw_name, host, NULL);
+        restore_http_proxy(orig_http_proxy);
         return (EXIT_FAILURE);
     }
 
@@ -267,6 +282,7 @@ do_auth(struct login_ctx *ctx, const char *cmd)
     }
     duo_close(duo);
 
+    restore_http_proxy(orig_http_proxy);
     return (ret);
 }
 

diff --git a/pam_duo/pam_duo.c b/pam_duo/pam_duo.c
@@ -101,6 +101,19 @@ __duo_prompt(void *arg, const char *prompt, char *buf, size_t bufsz)
 	return (buf);
 }
 
+static void
+restore_http_proxy(const char* http_proxy)
+{
+	if (http_proxy != NULL)
+	{
+		setenv("http_proxy", http_proxy, 1);
+	}
+	else
+	{
+		unsetenv("http_proxy");
+	}
+}
+
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
     int argc, const char *argv[])
@@ -119,7 +132,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
 	 * without.
 	 */
 	duopam_const char *ip, *service, *user;
-	const char *cmd, *p, *config, *host;
+	const char *cmd, *p, *config, *host, *orig_http_proxy;
 
 	int i, flags, pam_err, matched;
 
@@ -218,6 +231,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
 	}
 
 	/* Honor configured http_proxy */
+	orig_http_proxy = getenv("http_proxy");
 	if (cfg.http_proxy != NULL) {
 		setenv("http_proxy", cfg.http_proxy, 1);
 	}
@@ -227,6 +241,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
                     "pam_duo/" PACKAGE_VERSION,
                     cfg.noverify ? "" : cfg.cafile, cfg.https_timeout)) == NULL) {
 		duo_log(LOG_ERR, "Couldn't open Duo API handle", pw->pw_name, host, NULL);
+		restore_http_proxy(orig_http_proxy);
 		return (PAM_SERVICE_ERR);
 	}
 	duo_set_conv_funcs(duo, __duo_prompt, __duo_status, pamh);
@@ -281,6 +296,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int pam_flags,
 	}
 	duo_close(duo);
 
+	restore_http_proxy(orig_http_proxy);
 	return (pam_err);
 }
 

diff --git a/tests/login_duo-4.t b/tests/login_duo-4.t
@@ -83,3 +83,22 @@ Test manually-set hosts
 Test SSH-set host
   $ env SSH_CONNECTION="1.2.3.4 64903 127.0.0.1 22" ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo.conf -f preauth-allow true
   [4] Skipped Duo login for 'preauth-allow' from 1.2.3.4: you rock
+
+Test resetting http_proxy variable
+  $ orig_http_proxy=$http_proxy
+
+  $ export http_proxy=FAKE_PROXY_NAME
+  $ ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_proxy.conf -f preauth-allow true
+  [4] Failsafe Duo login for 'preauth-allow': Couldn't connect to localhost:4443: Failed to connect
+
+  $ echo $http_proxy
+  FAKE_PROXY_NAME
+
+  $ unset http_proxy
+  $ ${BUILDDIR}/login_duo/login_duo -d -c confs/mockduo_proxy.conf -f preauth-allow true
+  [4] Failsafe Duo login for 'preauth-allow': Couldn't connect to localhost:4443: Failed to connect
+
+  $ if [ -z "${http_proxy+set}" ]; then echo Good; else echo Bad; fi
+  Good
+
+  $ export http_proxy=$orig_http_proxy
diff --git a/tests/pam_duo-4.t b/tests/pam_duo-4.t
@@ -67,3 +67,22 @@ Test manually-set hosts
 
   $ env FALLBACK=1 ./testpam.py -d -c confs/mockduo_fallback.conf -f preauth-allow -h BADHOST true
   [4] Skipped Duo login for 'preauth-allow' from 1.2.3.4: you rock
+
+Test resetting http_proxy variable
+  $ orig_http_proxy=$http_proxy
+
+  $ export http_proxy=FAKE_PROXY_NAME
+  $ ./testpam.py -d -c confs/mockduo_proxy.conf -f preauth-allow true
+  [4] Failsafe Duo login for 'preauth-allow': Couldn't connect to localhost:4443: Failed to connect
+
+  $ echo $http_proxy
+  FAKE_PROXY_NAME
+
+  $ unset http_proxy
+  $ ./testpam.py -d -c confs/mockduo_proxy.conf -f preauth-allow true
+  [4] Failsafe Duo login for 'preauth-allow': Couldn't connect to localhost:4443: Failed to connect
+
+  $ if [ -z "${http_proxy+set}" ]; then echo Good; else echo Bad; fi
+  Good
+
+  $ export http_proxy=$orig_http_proxy