[Bug 952185] Re: ~/.pam_environment not parsed when HOME is encrypted

Steve Langasek steve.langasek at canonical.com
Tue Feb 12 04:08:18 UTC 2013 

Having reviewed the proposed pam change at
<https://code.launchpad.net/~gunnarhj/ubuntu/raring/pam/encrypted-
home/+merge/135021>, I believe it's incorrect and that this needs to be
fixed in lightdm instead.  Repeating my comment from the merge proposal:

 - This is a change in behavior of common-session for all PAM services.  Previously, pam_env is not mentioned in the common-* files at all, only in select service files that wish to use the module.  Maybe this should be a common module, but I think that's separate from the question of hether the existing services have a correct stack, and this should not be the solution for the reported bug.
 - The services that are having this problem are ones that don't have pam_env in their session stack /at all/ - they're calling pam_env as an 'auth' module.  This is allowed by the module, but should be considered deprecated.  Furthermore, the module's own manpage says "Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack."  So the services currently including pam_env appear to be misusing it; they should be fixed directly.
 - As of the next upload of pam to raring, .pam_environment will not be read by default at all by the pam_env module.  This change is being made in response to CVE-2010-4708, a low-priority security bug that can cause unexpected side effects on other modules later in the stack.  Explicitly putting pam_env last in the session stack and using user_readenv=1 should be safe; but that would need to be done in the per-service configs to ensure that it's actually last.

So I don't think this should be implemented in its current form and
think that this needs to be fixed in the per-service files instead.


** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4708

** Changed in: pam (Ubuntu)
       Status: In Progress => Invalid

** Changed in: pam (Ubuntu Precise)
       Status: Confirmed => Invalid

** Also affects: openssh (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: at (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: sudo (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/952185

Title:
  ~/.pam_environment not parsed when HOME is encrypted

Status in Light Display Manager:
  Triaged
Status in “at” package in Ubuntu:
  New
Status in “lightdm” package in Ubuntu:
  Triaged
Status in “openssh” package in Ubuntu:
  New
Status in “pam” package in Ubuntu:
  Invalid
Status in “sudo” package in Ubuntu:
  New
Status in “at” source package in Precise:
  New
Status in “lightdm” source package in Precise:
  Triaged
Status in “openssh” source package in Precise:
  New
Status in “pam” source package in Precise:
  Invalid
Status in “sudo” source package in Precise:
  New

Bug description:
  I have noticed this with LightDM 1.1.6 - 1.1.8. Is HOME 'unlocked' too
  late?

  The result is that the session environment contains the system wide
  locale settings, while the user's locale settings are ignored.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/952185/+subscriptions

More information about the foundations-bugs mailing list