From 6bf395022aef4dcf455f31253df526a7c2f1ab4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 2 Oct 2017 04:10:55 +0200
Subject: [PATCH] qrexec: use user shell instead of hardcoded /bin/sh

Fixes QubesOS/qubes-issues#3139
---
 qrexec/qrexec-agent.c       | 14 +++++++++++++-
 qrexec/qrexec-fork-server.c |  7 ++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/qrexec/qrexec-agent.c b/qrexec/qrexec-agent.c
index fa38ded..7fa2f66 100644
--- a/qrexec/qrexec-agent.c
+++ b/qrexec/qrexec-agent.c
@@ -144,6 +144,8 @@ void do_exec(const char *cmd)
     pid_t child, pid;
     char **env;
     char pid_s[32];
+    char *arg0;
+    char *shell_basename;
 #endif
 
     if (!realcmd)
@@ -184,6 +186,14 @@ void do_exec(const char *cmd)
     pw->pw_shell = strdup(pw->pw_shell);
     endpwent();
 
+    shell_basename = basename (pw->pw_shell);
+    /* this process is going to die shortly, so don't care about freeing */
+    arg0 = malloc (strlen (shell_basename) + 2);
+    if (!arg0)
+        goto error;
+    arg0[0] = '-';
+    strcpy (arg0 + 1, shell_basename);
+
     retval = pam_start("qrexec", user, &conv, &pamh);
     if (retval != PAM_SUCCESS)
         goto error;
@@ -220,6 +230,7 @@ void do_exec(const char *cmd)
             goto error;
         case 0:
             /* child */
+
             if (setgid (pw->pw_gid))
                 exit(126);
             if (setuid (pw->pw_uid))
@@ -227,7 +238,8 @@ void do_exec(const char *cmd)
             setsid();
             /* This is a copy but don't care to free as we exec later anyways.  */
             env = pam_getenvlist (pamh);
-            execle("/bin/sh", "-sh", "-c", realcmd, (char*)NULL, env);
+
+            execle(pw->pw_shell, arg0, "-c", realcmd, (char*)NULL, env);
             exit(127);
         default:
             /* parent */
diff --git a/qrexec/qrexec-fork-server.c b/qrexec/qrexec-fork-server.c
index d52b377..8d53144 100644
--- a/qrexec/qrexec-fork-server.c
+++ b/qrexec/qrexec-fork-server.c
@@ -35,6 +35,7 @@
 
 void do_exec(const char *cmd)
 {
+    char *shell;
     char buf[strlen(QUBES_RPC_MULTIPLEXER_PATH) + strlen(cmd) - strlen(RPC_REQUEST_COMMAND) + 1];
     /* replace magic RPC cmd with RPC multiplexer path */
     if (strncmp(cmd, RPC_REQUEST_COMMAND " ", strlen(RPC_REQUEST_COMMAND)+1)==0) {
@@ -45,7 +46,11 @@ void do_exec(const char *cmd)
     signal(SIGCHLD, SIG_DFL);
     signal(SIGPIPE, SIG_DFL);
 
-    execl("/bin/sh", "sh", "-c", cmd, NULL);
+    shell = getenv("SHELL");
+    if (!shell)
+        shell = "/bin/sh";
+
+    execl(shell, basename(shell), "-c", cmd, NULL);
     perror("execl");
     exit(1);
 }