Calling pam_env.so from the auth stack is a security problem and should never be done. Always add it only to the session stack.
Thorsten Thorsten Kukuk, Distinguished Engineer, Future Technologies SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nuernberg, Germany Geschäftsführer: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg) Andrei Borzenkov <[email protected]> schrieb am Sa., 24. Jan. 2026, 15:02: > 24.01.2026 09:51, [email protected] wrote: > > Hi, > > > > I've been trying to replace sudo with run0 on my system. I've also > > configured the /etc/environment and /etc/security/pam_env.conf files for > > environment variables for all users on the system level. These files will > > be loaded by pam_env.so in the PAM stack of sudo: > > > > /etc/pam.d/sudo > > ``` > > #%PAM-1.0 > > auth include system-auth > > account include system-auth > > session include system-auth > > ``` > > where system-auth includes the following line: > > ``` > > auth required pam_env.so > > ``` > > > > However, I noticed that the pam_env.so module was not in the PAM stack > used > > by run0: the "systemd-run0" PAM stack, and all the environment variables > in > > the configuration files that I used above will not be loaded. > > > > I would like to ask if the pam_env.so module was intentionally excluded > > from the "systemd-run0" stack for some reason or just by coincidence that > > no one ever thought of adding it in the PAM stack of run0? > > > > That sounds more like a downstream question. E.g., on openSUSE > systemd-run0 does not have any configuration for auth at all and differs > from what the upstream provides. Every distribution may have some > customized PAM configuration. >
