[Pkg-shadow-devel] Bug#434485: su: environment setting when doing su

Jean-Christophe Dubacq jcdubacq1 at free.fr
Tue Jul 24 07:12:30 UTC 2007 

Package: login
Version: 1:4.0.18.1-11
Severity: normal

Hello,

Several remarks that are part of the same problem regarding su, pam and
environment setting.

1) If /etc/default/locale is set (or anything in /etc/environment), its
content is read when doing su (no args). I understand that it is read
when doing su -l, and not read when doing su -p. The behaviour when
doing simple su is best described (to my knowledge, which may be wrong)
by the man page:
   The current environment is passed to the new shell. The value of $PATH
   is reset to /bin:/usr/bin for normal users, or
   /sbin:/bin:/usr/sbin:/usr/bin for the superuser. This may be changed
   with the ENV_PATH and ENV_SUPATH definitions in /etc/login.defs.

Thus, I expect su to act closer to su -p than su -l.

One of the reason I would prefer this is that terminal charmap is
transported with the LC_CTYPE (or LANG) variable.

2) ENV_SUPATH on a basic etch install is:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bi
n:/usr/bin/X11
PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games

Probably /usr/bin/X11 should be removed of this list.

Solving the problem for 2 is easy. Solving it for 1 may require
to make two different pam.d/su files: one for use in su -l and one for
use in su. The line reading /etc/default/locale would be removed.

Another solution is to patch pam_env.so so that (reading an argument on
the pam line) no variables could be clobbered if they are already set. I
already wrote this patch some time ago and can provide it if it is of
any interest.
The line would become (in /etc/pam.d/su):
session       required   pam_env.so readenv=1 noclobber=1 envfile=/etc/default/locale

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-1-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages login depends on:
ii  libc6                         2.5-11     GNU C Library: Shared libraries
ii  libpam-modules                0.79-4.1   Pluggable Authentication Modules f
ii  libpam-runtime                0.79-4.1   Runtime support for the PAM librar
ii  libpam0g                      0.79-4.1   Pluggable Authentication Modules l

login recommends no packages.

-- no debconf information

More information about the Pkg-shadow-devel mailing list