1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 23:21:22 +03:00
systemd/man/less-variables.xml
Zbigniew Jędrzejewski-Szmek 0a42426d79 pager: make pager secure when under euid is changed or explicitly requested
The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
less now), and we automatically enable secure mode in certain cases, but not
otherwise.

This approach is more nuanced, but should provide a better experience for
users:

- Previusly we would set LESSSECURE=1 and trust the pager to make use of
  it. But this has an effect only on less. We need to not start pagers which
  are insecure when in secure mode. In particular more is like that and is a
  very popular pager.

- We don't enable secure mode always, which means that those other pagers can
  reasonably used.

- We do the right thing by default, but the user has ultimate control by
  setting SYSTEMD_PAGERSECURE.

Fixes #5666.

v2:
- also check $PKEXEC_UID

v3:
- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
2020-10-14 10:04:12 +02:00

125 lines
6.6 KiB
XML

<?xml version="1.0"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refsect1>
<title>Environment</title>
<variablelist class='environment-variables'>
<varlistentry id='pager'>
<term><varname>$SYSTEMD_PAGER</varname></term>
<listitem><para>Pager to use when <option>--no-pager</option> is not given; overrides
<varname>$PAGER</varname>. If neither <varname>$SYSTEMD_PAGER</varname> nor <varname>$PAGER</varname> are set, a
set of well-known pager implementations are tried in turn, including
<citerefentry project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> and
<citerefentry project='man-pages'><refentrytitle>more</refentrytitle><manvolnum>1</manvolnum></citerefentry>, until one is found. If
no pager implementation is discovered no pager is invoked. Setting this environment variable to an empty string
or the value <literal>cat</literal> is equivalent to passing <option>--no-pager</option>.</para></listitem>
</varlistentry>
<varlistentry id='less'>
<term><varname>$SYSTEMD_LESS</varname></term>
<listitem><para>Override the options passed to <command>less</command> (by default
<literal>FRSXMK</literal>).</para>
<para>Users might want to change two options in particular:</para>
<variablelist>
<varlistentry>
<term><option>K</option></term>
<para>This option instructs the pager to exit immediately when
<keycombo><keycap>Ctrl</keycap><keycap>C</keycap></keycombo> is pressed. To allow
<command>less</command> to handle <keycombo><keycap>Ctrl</keycap><keycap>C</keycap></keycombo>
itself to switch back to the pager command prompt, unset this option.</para>
<para>If the value of <varname>$SYSTEMD_LESS</varname> does not include <literal>K</literal>,
and the pager that is invoked is <command>less</command>,
<keycombo><keycap>Ctrl</keycap><keycap>C</keycap></keycombo> will be ignored by the
executable, and needs to be handled by the pager.</para>
</varlistentry>
<varlistentry>
<term><option>X</option></term>
<para>This option instructs the pager to not send termcap initialization and deinitialization
strings to the terminal. It is set by default to allow command output to remain visible in the
terminal even after the pager exits. Nevertheless, this prevents some pager functionality from
working, in particular paged output cannot be scrolled with the mouse.</para>
</varlistentry>
</variablelist>
<para>See
<citerefentry project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for more discussion.</para></listitem>
</varlistentry>
<varlistentry id='lesscharset'>
<term><varname>$SYSTEMD_LESSCHARSET</varname></term>
<listitem><para>Override the charset passed to <command>less</command> (by default <literal>utf-8</literal>, if
the invoking terminal is determined to be UTF-8 compatible).</para></listitem>
</varlistentry>
<varlistentry id='lesssecure'>
<term><varname>$SYSTEMD_PAGERSECURE</varname></term>
<listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
if the effective UID is not the same as the owner of the login session, see <citerefentry
project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
<citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
disable commands that open or create new files or start new subprocesses. When
<varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
secure mode will not be used. (Currently only
<citerefentry><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> implements
secure mode.)</para>
<para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
<citerefentry
project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completly
disable the pager using <option>--no-pager</option> instead.</para></listitem>
</varlistentry>
<varlistentry id='colors'>
<term><varname>$SYSTEMD_COLORS</varname></term>
<listitem><para>The value must be a boolean. Controls whether colorized output should be
generated. This can be specified to override the decision that <command>systemd</command> makes based
on <varname>$TERM</varname> and what the console is connected to.</para>
</listitem>
</varlistentry>
<!-- This is not documented on purpose, because it is not clear if $NO_COLOR will become supported
widely enough. So let's provide support, but without advertising this.
<varlistentry id='no-color'>
<term><varname>$NO_COLOR</varname></term>
<listitem><para>If set (to any value), and <varname>$SYSTEMD_COLORS</varname> is not set, equivalent to
<option>SYSTEMD_COLORS=0</option>. See <ulink url="https://no-color.org/">no-color.org</ulink>.</para>
</listitem>
</varlistentry>
-->
<varlistentry id='urlify'>
<term><varname>$SYSTEMD_URLIFY</varname></term>
<listitem><para>The value must be a boolean. Controls whether clickable links should be generated in
the output for terminal emulators supporting this. This can be specified to override the decision that
<command>systemd</command> makes based on <varname>$TERM</varname> and other conditions.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>