[Pkg-shadow-devel] Bug#611584: /bin/su: not quite aggressive
velotiger at web.de
velotiger at web.de
Sun Feb 13 19:19:15 UTC 2011
Here's a workaround that sets both XAUTHORITY and DISPLAY to an empty
string in the target users's session after an "su -".
New file "/etc/security/pam_env-su.conf":
---
# This file is referenced by "/etc/pam.d/su".
# Workaround for Debian Squeeze, Bug#611584:
# Replace the copied variables XAUTHORITY and DISPLAY in an su-invoked shell.
XAUTHORITY DEFAULT=""
DISPLAY DEFAULT=""
---
Add the follwing lines to "/etc/pam.d/su":
---
# Workaround for Debian Squeeze, Bug#611584:
# variables XAUTHORITY and DISPLAY are set to an empty string.
session required pam_env.so debug readenv=0 conffile=/etc/security/pam_env-su.conf
---
I did not work out yet how to unset an environment variable by means of
pam_env.conf(5), the next best thing is an empty string. The xauth-command
does not like an empty value in $XAUTHORITY ("xauth: unable to link authority
file , use -n"), just unset XAUTHORITY or set it to a valid filename before
you use xauth. For the text console, empty values are ok; X11 can be started
and the variables are ok in the X11 session.
Regards,
Tilmann
___________________________________________________________
Schon gehört? WEB.DE hat einen genialen Phishing-Filter in die
Toolbar eingebaut! http://produkte.web.de/go/toolbar
More information about the Pkg-shadow-devel
mailing list