From 89b96cb85cbd86a3f07a47e5e6826f7c5a69e3d5 Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@ubuntu.com>
Date: Mon, 25 Jun 2018 16:00:17 +0200
Subject: [PATCH] su.c: run pam_getenvlist() after setup_env

When "su -l" is used the behaviour is described as similar to
a direct login. However login.c is doing a setup_env(pw) and then a
pam_getenvlist() in this scenario. But su.c is doing it the other
way around. Which means that the value of PATH from /etc/environment
is overriden. I think this is a bug because:

The man-page claims that "-l": "provides an environment similar
to what the user would expect had the user logged in directly."

And login.c is using the PATH from /etc/environment.

This will fix:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/984390
---
 src/su.c | 35 +++++++++++++++--------------------
 1 file changed, 15 insertions(+), 20 deletions(-)

diff --git a/src/su.c b/src/su.c
index 685f7bb0..fc0e826f 100644
--- a/src/su.c
+++ b/src/su.c
@@ -913,28 +913,8 @@ static void set_environment (struct passwd *pw)
 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
 	}
 
-#ifdef USE_PAM
-	/* we need to setup the environment *after* pam_open_session(),
-	 * else the UID is changed before stuff like pam_xauth could
-	 * run, and we cannot access /etc/shadow and co
-	 */
 	environ = newenvp;	/* make new environment active */
 
-	if (change_environment) {
-		/* update environment with all pam set variables */
-		char **envcp = pam_getenvlist (pamh);
-		if (NULL != envcp) {
-			while (NULL != *envcp) {
-				addenv (*envcp, NULL);
-				envcp++;
-			}
-		}
-	}
-
-#else				/* !USE_PAM */
-	environ = newenvp;	/* make new environment active */
-#endif				/* !USE_PAM */
-
 	if (change_environment) {
 		if (fakelogin) {
 			if (shellstr != pw->pw_shell) {
@@ -948,6 +928,21 @@ static void set_environment (struct passwd *pw)
 			addenv ("LOGNAME", pw->pw_name);
 			addenv ("SHELL", shellstr);
 		}
+
+#ifdef USE_PAM
+	        /* we need to setup the environment *after* pam_open_session(),
+                 * else the UID is changed before stuff like pam_xauth could
+                 * run, and we cannot access /etc/shadow and co
+                 */
+		/* update environment with all pam set variables */
+		char **envcp = pam_getenvlist (pamh);
+		if (NULL != envcp) {
+			while (NULL != *envcp) {
+				addenv (*envcp, NULL);
+				envcp++;
+			}
+		}
+#endif				/* !USE_PAM */
 	}
 
 }