From: Theo de Raadt Subject: Re: su, doas inconsistent handling of duplicate environment variables To: jmates@thrig.me, tech@openbsd.org Date: Tue, 6 Feb 2024 19:24:32 -0700 > Assuming a doas.conf with "keepenv" somewhere appropriate, the first > of any dupliate is selected by doas, while the last is selected by > su. I don't think su is doing anything here. It just calls execv. It does not manipulate the environment. Based upon your other tests, the duplicated environment makes it through the kernel, which should not put effort into identifying the situation or adjusting it. It just validates space, then copies the array to the new stack. > Should this be made consistent between the two? (Shells and > languages also vary here, though I haven't found any that pick only > the middle, yet.) $ dupenv FOO=first FOO=middle FOO=last env | grep FOO FOO=first FOO=middle FOO=last $ dupenv FOO=first FOO=middle FOO=last doas env | grep FOO FOO=first $ dupenv FOO=first FOO=middle FOO=last su Password: $ env | grep FOO FOO=last I think your shell is ksh. Looking at some code, I find that during initialization, in ksh/main.c there is: /* import environment */ if (environ != NULL) for (wp = environ; *wp != NULL; wp++) typeset(*wp, IMPORT|EXPORT, 0, 0, 0); Then looking at the typeset() function, it doesn't care if there is a previous import of the variable, it will replace it, and thus look like 'last pick' to you. doas, on the other hand, is definately first match: if (RB_INSERT(envtree, &env->root, node)) { /* ignore any later duplicates */ I have a hard time believing that doas should be changed. I'm not sure a consistancy for this is achievable in practice. There will always be outliers, right?