su: protect COLORTERM and NO_COLOR env. variables

karelzak · karelzak · commit 81bb42426b15 · 2025-05-07T11:35:05.000+02:00
Fixes: #3463 Signed-off-by: Karel Zak <kzak@redhat.com>
diff --git a/login-utils/runuser.1.adoc b/login-utils/runuser.1.adoc
@@ -47,7 +47,7 @@ Specify a supplementary group. This option is available to the root user only. T
 *-*, *-l*, *--login*::
 Start the shell as a login shell with an environment similar to a real login:
 +
-* clears all the environment variables except for *TERM* and variables specified by *--whitelist-environment*
+* clears all the environment variables except for *TERM*, *COLORTERM*, *NO_COLOR* and variables specified by *--whitelist-environment*
 * initializes the environment variables *HOME*, *SHELL*, *USER*, *LOGNAME*, and *PATH*
 * changes to the target user's home directory
 * sets argv[0] of the shell to '*-*' in order to make the shell a login shell
diff --git a/login-utils/su-common.c b/login-utils/su-common.c
@@ -704,8 +704,10 @@ static void modify_environment(struct su_context *su, const char *shell)
 	 * --whitelist-environment if specified.
 	 */
 	if (su->simulate_login) {
-		/* leave TERM unchanged */
+		/* leave unchanged */
 		su->env_whitelist = env_list_add_getenv(su->env_whitelist, "TERM", NULL);
+		su->env_whitelist = env_list_add_getenv(su->env_whitelist, "COLORTERM", NULL);
+		su->env_whitelist = env_list_add_getenv(su->env_whitelist, "NO_COLOR", NULL);
 
 		/* Note that original su(1) has allocated environ[] by malloc
 		 * to the number of expected variables. This seems unnecessary
diff --git a/login-utils/su.1.adoc b/login-utils/su.1.adoc
@@ -55,7 +55,7 @@ PAM) from this point of view. You need to use tools like *systemd-run* or
 +
 *su* does:
 +
-* clears all the environment variables except *TERM* and variables specified by *--whitelist-environment*
+* clears all the environment variables except *TERM*, *COLORTERM*, *NO_COLOR* and variables specified by *--whitelist-environment*
 * initializes the environment variables *HOME*, *SHELL*, *USER*, *LOGNAME*, and *PATH*
 * changes to the target user's home directory
 * sets argv[0] of the shell to '*-*' in order to make the shell a login shell

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ Specify a supplementary group. This option is available to the root user only. T`
`47`	`47`	`-, -l, --login::`
`48`	`48`	`Start the shell as a login shell with an environment similar to a real login:`
`49`	`49`	`+`
`50`		`-* clears all the environment variables except for TERM and variables specified by --whitelist-environment`
	`50`	`+* clears all the environment variables except for TERM, COLORTERM, NO_COLOR and variables specified by --whitelist-environment`
`51`	`51`	`* initializes the environment variables HOME, SHELL, USER, LOGNAME, and PATH`
`52`	`52`	`* changes to the target user's home directory`
`53`	`53`	`* sets argv[0] of the shell to '-' in order to make the shell a login shell`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ PAM) from this point of view. You need to use tools like systemd-run or`
`55`	`55`	`+`
`56`	`56`	`su does:`
`57`	`57`	`+`
`58`		`-* clears all the environment variables except TERM and variables specified by --whitelist-environment`
	`58`	`+* clears all the environment variables except TERM, COLORTERM, NO_COLOR and variables specified by --whitelist-environment`
`59`	`59`	`* initializes the environment variables HOME, SHELL, USER, LOGNAME, and PATH`
`60`	`60`	`* changes to the target user's home directory`
`61`	`61`	`* sets argv[0] of the shell to '-' in order to make the shell a login shell`