[Pkg-shadow-devel] Bug#611584: /bin/su: not quite aggressive

velotiger at web.de velotiger at web.de
Sun Feb 13 19:19:15 UTC 2011

Here's a workaround that sets both XAUTHORITY and DISPLAY to an empty
string in the target users's session after an "su -".

New file "/etc/security/pam_env-su.conf":
# This file is referenced by "/etc/pam.d/su".
# Workaround for Debian Squeeze, Bug#611584:
# Replace the copied variables XAUTHORITY and DISPLAY in an su-invoked shell.

Add the follwing lines to "/etc/pam.d/su":
# Workaround for Debian Squeeze, Bug#611584:
# variables XAUTHORITY and DISPLAY are set to an empty string.
session  required  pam_env.so debug readenv=0 conffile=/etc/security/pam_env-su.conf

I did not work out yet how to unset an environment variable by means of
pam_env.conf(5), the next best thing is an empty string.  The xauth-command
does not like an empty value in $XAUTHORITY ("xauth:  unable to link authority 
file , use -n"), just unset XAUTHORITY or set it to a valid filename before 
you use xauth.  For the text console, empty values are ok; X11 can be started
and the variables are ok in the X11 session.


Schon gehört? WEB.DE hat einen genialen Phishing-Filter in die
Toolbar eingebaut! http://produkte.web.de/go/toolbar

More information about the Pkg-shadow-devel mailing list