pass: Do not modify $HOME env globally

Just set $HOME for calling the pass binary to avoid affecting anything outside the pass renderer.
2025-04-16 09:40:20 +00:00 · 2022-05-27 11:25:18 +02:00 · 2022-05-27 11:25:18 +02:00 · 4813a9f533
commit 4813a9f533
parent 8270d639c7
2 changed files with 7 additions and 5 deletions
--- a/changelog/62120.fixed
+++ b/changelog/62120.fixed
@ -1,2 +1,3 @@
+The $HOME env is no longer modified globally.
 Only trailing newlines are stripped from the fetched secret.
 Pass process arguments are handled in a secure way.
--- a/salt/renderers/pass.py
+++ b/salt/renderers/pass.py
@ -84,7 +84,12 @@ def _fetch_secret(pass_path):
    cmd = ["pass", "show", pass_path]
    log.debug("Fetching secret: %s", " ".join(cmd))

-    proc = Popen(cmd, stdout=PIPE, stderr=PIPE)
+    # Make sure environment variable HOME is set, since Pass looks for the
+    # password-store under ~/.password-store.
+    env = os.environ.copy()
+    env["HOME"] = expanduser("~")
+
+    proc = Popen(cmd, stdout=PIPE, stderr=PIPE, env=env)
    pass_data, pass_error = proc.communicate()

    # The version of pass used during development sent output to
@ -115,8 +120,4 @@ def render(pass_info, saltenv="base", sls="", argline="", **kwargs):
    Fetch secret from pass based on pass_path
    """
    _get_pass_exec()
-
-    # Make sure environment variable HOME is set, since Pass looks for the
-    # password-store under ~/.password-store.
-    os.environ["HOME"] = expanduser("~")
    return _decrypt_object(pass_info)