From 05d1d23406e763d1926f6aee1e2015f97e0e5440 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 6 Dec 2024 20:17:20 +0100
Subject: [PATCH 1/2] Clear env of privileged 'sssd_pam' as a security
 hardening measure.

---
 src/responder/pam/pamsrv.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index cd49c40664b..94a39cf140c 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -450,6 +450,16 @@ int main(int argc, const char *argv[])
 
     umask(DFL_RSP_UMASK);
 
+    /* This is to clear dangerous variables like 'LDB_MODULES_PATH'
+     * from environment of privileged responder. It's easier to
+     * clear everything since 'sssd_pam' shouldn't rely on any.
+     */
+    ret = clearenv();
+    if (ret != 0) {
+        fprintf(stderr, "Failed to clear env.\n");
+        return 1;
+    }
+
     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
     while((opt = poptGetNextOpt(pc)) != -1) {
         switch(opt) {

From 6ae7d35e30ca5b8bbc7a500f9f6785f3683d0c79 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 17 Jan 2025 21:07:43 +0100
Subject: [PATCH 2/2] Don't clear 'sssd_pam' env when built for intg-tests

---
 Makefile.am                | 2 +-
 src/responder/pam/pamsrv.c | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index 20ce1730b7a..e8552c6b29a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4045,7 +4045,7 @@ intgcheck-prepare:
 	    --with-files-provider \
 	    --with-session-recording-shell=/bin/false \
 	    $(INTGCHECK_CONFIGURE_FLAGS) \
-	    CFLAGS="-O2 -g $$CFLAGS"; \
+	    CFLAGS="-O2 -g $$CFLAGS -DINTGCHECK_BUILD"; \
 	$(MAKE) $(AM_MAKEFLAGS) ; \
 	$(MAKE) $(AM_MAKEFLAGS) test_ssh_client; \
 	: Force single-thread install to workaround concurrency issues; \
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
index 94a39cf140c..55fce72f10b 100644
--- a/src/responder/pam/pamsrv.c
+++ b/src/responder/pam/pamsrv.c
@@ -450,6 +450,7 @@ int main(int argc, const char *argv[])
 
     umask(DFL_RSP_UMASK);
 
+#ifndef INTGCHECK_BUILD
     /* This is to clear dangerous variables like 'LDB_MODULES_PATH'
      * from environment of privileged responder. It's easier to
      * clear everything since 'sssd_pam' shouldn't rely on any.
@@ -459,6 +460,7 @@ int main(int argc, const char *argv[])
         fprintf(stderr, "Failed to clear env.\n");
         return 1;
     }
+#endif  /* 'intgcheck' relies on 'LDB_MODULES_PATH' to setup a test env */
 
     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
     while((opt = poptGetNextOpt(pc)) != -1) {