Don't use getenv for critical functions when run as setuid/setgid

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5856)

3 files changed, 28 insertions, 0 deletions

diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod
index b009949d6e..a2fc299482 100644
--- a/doc/man3/ENGINE_add.pod
+++ b/doc/man3/ENGINE_add.pod
@@ -568,6 +568,7 @@ extension).
 =item B<OPENSSL_ENGINES>
 
 The path to the engines directory.
+Ignored in set-user-ID and set-group-ID programs.
 
 =back
 
diff --git a/doc/man3/OPENSSL_config.pod b/doc/man3/OPENSSL_config.pod
index e70fcd5498..ac686e6222 100644
--- a/doc/man3/OPENSSL_config.pod
+++ b/doc/man3/OPENSSL_config.pod
@@ -48,6 +48,17 @@ application calls OPENSSL_config() it doesn't need to know or care about
 ENGINE control operations because they can be performed by editing a
 configuration file.
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<OPENSSL_CONF>
+
+The path to the config file.
+Ignored in set-user-ID and set-group-ID programs.
+
+=back
+
 =head1 RETURN VALUES
 
 Neither OPENSSL_config() nor OPENSSL_no_config() return a value.
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index ef8e10ef1b..09d72be2fd 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -384,6 +384,22 @@ will output:
 
 showing that the OID "newoid1" has been added as "1.2.3.4.1".
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<OPENSSL_CONF>
+
+The path to the config file.
+Ignored in set-user-ID and set-group-ID programs.
+
+=item B<OPENSSL_ENGINES>
+
+The path to the engines directory.
+Ignored in set-user-ID and set-group-ID programs.
+
+=back
+
 =head1 BUGS
 
 Currently there is no way to include characters using the octal B<\nnn>