[Pkg-shadow-devel] Bug#989919: login: consider setting PAM's user_readenv=1

Serge E. Hallyn serge at hallyn.com
Sat Apr 9 20:11:21 BST 2022


On Sat, Apr 09, 2022 at 06:41:47PM +0200, Christoph Anton Mitterer wrote:
> On Sat, 2022-04-09 at 08:20 -0500, Serge E. Hallyn wrote:
> > I wonder whether it was disabled
> > for security reasons?  Is there a debian bug referring to that?
> 
> Hmm could be this...
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136
> 
> Though I don't quite understand what the attack actually is (or whether
> it was fixed - and if there is no real fix, why the pam manpages still
> don't warn from that option), since any user could just set any var in
> his .bashrc or so....

Based on https://www.openwall.com/lists/oss-security/2010/09/27/7
I think the concern was that the user's env file was being read
while fsuid was still root.  I see patches fixing it in pam itself,
so I don't think the default workaround is needed.  Now, arguably,
it is a hairy bit of code, and so defaulting to not reading it
while allowing sites to override is conservative.  I guess someone
should do another code review of at least pam_env.



More information about the Pkg-shadow-devel mailing list