[Pkg-shadow-devel] Bug#155279: Bugs #155279: Should "su -" get environment from /etc/environment?
Christian Perrier
Christian Perrier <bubulle@debian.org>, 155279@bugs.debian.org
Wed, 6 Apr 2005 19:44:29 +0200
tags 155279 help
thanks
Please read http://bugs.debian.org/155279 for the whole story.
In short, this bug requests that "auth required pam_env.so" is added
to /etc/pam.d/su so that the contents of /etc/environment is used when
issuing a "su -" to become root.
OTOH, doing so will lead to "su" getting env variables from that file
too and thus breaking the expected behaviour (keeping the originating
user environment).
So, we (shadow package maintainers) cannot blindly add the offending
line to the /etc/pam.d/su file.
One suggestion in the bug log is a modification to su code so that it
reads pam_env.so only when called as "su -". This sounds a bit strange
to me as it would require hard-encoding this module name in su code as
this is of course the only module that should be ignored. Seems to go
against the "spirit" of PAM (modularity).
My opinion, currently, is that nothing can really be done about this.
Eduard Bloch, in the bug log, even raised the severity to "grave"
which seems oveflated (and maybe not directly related as he mentions
the lack of using pam_access).
I think we really need some external advice here, but I want first to
have other team members advice, as well as the bug submitter opinion.
--