[Pkg-shadow-devel] Bug#989919: login: consider setting PAM's user_readenv=1
Serge E. Hallyn
serge at hallyn.com
Sat Apr 9 20:11:21 BST 2022
On Sat, Apr 09, 2022 at 06:41:47PM +0200, Christoph Anton Mitterer wrote:
> On Sat, 2022-04-09 at 08:20 -0500, Serge E. Hallyn wrote:
> > I wonder whether it was disabled
> > for security reasons? Is there a debian bug referring to that?
>
> Hmm could be this...
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136
>
> Though I don't quite understand what the attack actually is (or whether
> it was fixed - and if there is no real fix, why the pam manpages still
> don't warn from that option), since any user could just set any var in
> his .bashrc or so....
Based on https://www.openwall.com/lists/oss-security/2010/09/27/7
I think the concern was that the user's env file was being read
while fsuid was still root. I see patches fixing it in pam itself,
so I don't think the default workaround is needed. Now, arguably,
it is a hairy bit of code, and so defaulting to not reading it
while allowing sites to override is conservative. I guess someone
should do another code review of at least pam_env.
More information about the Pkg-shadow-devel
mailing list