Bug#989919: login: consider setting PAM's user_readenv=1
On Sat, Apr 09, 2022 at 06:41:47PM +0200, Christoph Anton Mitterer wrote: > On Sat, 2022-04-09 at 08:20 -0500, Serge E. Hallyn wrote: > > I wonder whether it was disabled > > for security reasons? Is there a debian bug referring to that? > > Hmm could be this... > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136 > > Though I don't quite understand what the attack actually is (or whether > it was fixed - and if there is no real fix, why the pam manpages still > don't warn from that option), since any user could just set any var in > his .bashrc or so Based on https://www.openwall.com/lists/oss-security/2010/09/27/7 I think the concern was that the user's env file was being read while fsuid was still root. I see patches fixing it in pam itself, so I don't think the default workaround is needed. Now, arguably, it is a hairy bit of code, and so defaulting to not reading it while allowing sites to override is conservative. I guess someone should do another code review of at least pam_env.
Bug#989919: login: consider setting PAM's user_readenv=1
At least one should consult the people from the security team and perhaps anyone who was concerned back then with fixing #611136 Btw: I forgot to tell in this ticket here, that in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784158#49 Yves-Alexis Perez came up with the idea, that setting user_readenv=1 (if safe) should go to: /etc/pam.d/common-session In: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784158#58 I've CC'ed PAM maintainers... asking for whether this could be done. I guess that would be a general solution, an make this here obsolete. Cheers, Chris.
Bug#989919: login: consider setting PAM's user_readenv=1
On Sat, 2022-04-09 at 08:20 -0500, Serge E. Hallyn wrote: > I wonder whether it was disabled > for security reasons? Is there a debian bug referring to that? Hmm could be this... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136 Though I don't quite understand what the attack actually is (or whether it was fixed - and if there is no real fix, why the pam manpages still don't warn from that option), since any user could just set any var in his .bashrc or so
Bug#989919: login: consider setting PAM's user_readenv=1
Package: login Version: 1:4.8.1-1 Severity: wishlist Hi. Would it make sense to set PAM env’s user_readenv=1 in /etc/pam.d/login? That would allow users to have a .pam_environment read, which would seem a proper location for things like PATH, rather than .profile or .bashrc. Cheers, Chris.