I expect a shell not to modify LIBPATH
and most other environment variables.
On some but not all AIX systems, /usr/bin/sh
(notable for being the shell
behind system(3)) clears variables LIBPATH, LD_LIBRARY_PATH, and NLSPATH.
ksh
and bash
do not. Test shell script:
export LIBPATH=/none1 LD_LIBRARY_PATH=/none2 NLSPATH=/none3 LiBPATH=/none4
for shell in /usr/bin/sh ksh bash; do
echo "=== $shell"
$shell -c env | grep /none
done
I expect output like this, and I get it on some AIX systems:
=== /usr/bin/sh
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
=== ksh
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
=== bash
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
Variable-clearing systems give this output instead:
=== /usr/bin/sh
LiBPATH=/none4
=== ksh
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
=== bash
LiBPATH=/none4
NLSPATH=/none3
LIBPATH=/none1
LD_LIBRARY_PATH=/none2
How can one disable this variable-clearing behavior? I'd like to disable it to restore compatibility of system(3) with older AIX and with Linux.
Differences observed between systems:
find /usr /opt /etc -mtime -30 -ls 2>/dev/null
.) I could ask the admin.Shell versions for system (2), the variable-clearing system:
$ lslpp -l bos.rte.shell
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.rte.shell 7.2.4.2 COMMITTED Shells (bsh, ksh, csh)
Path: /etc/objrepos
bos.rte.shell 7.2.4.2 COMMITTED Shells (bsh, ksh, csh)
$ ls -l /usr/bin/ksh /usr/bin/sh
-r-xr-xr-x 5 bin bin 317840 Sep 23 2020 /usr/bin/ksh
-r-xr-xr-x 5 bin bin 317840 Sep 23 2020 /usr/bin/sh
On system (2), no package known to lslpp
is newer than year 2020:
$ lslpp -Lc all | grep ':[0-9]\{4\}$' | sed 's/.*://' | sort | uniq -c
1 1241
297 1543
2 1614
8 1642
6 1731
4 1806
42 1837
46 1845
2 1913
332 1937
43 2015
1 2027
117 2037
/etc/security/privcmds
contained:
/bin/sh:
accessauths = ALLOW_ALL
Removing that and running setkst
disabled the variable clearing. Under the
removed configuration, role based access control (RBAC) "governs the
privileges assigned to the
process".
"For a process configured with RBAC elevated privileges" the question's three
variables and also LDR_PRELOAD
are
reset.
Apparently, enrolling a process in RBAC is enough to reset the variables, even
if no RBAC privilege grants appear.