[Bug 955032] Re: pam environment duplicate path directories since it is called without user_readenv=0
Launchpad Bug Tracker
955032 at bugs.launchpad.net
Thu Feb 14 22:45:49 UTC 2013
This bug was fixed in the package pam - 1.1.3-8ubuntu1
---------------
pam (1.1.3-8ubuntu1) raring; urgency=low
* Merge from Debian unstable, remaining changes:
- debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
not present there or in /etc/security/pam_env.conf. (should send to
Debian).
- debian/libpam0g.postinst: only ask questions during update-manager when
there are non-default services running.
- debian/libpam0g.postinst: check if gdm is actually running before
trying to reload it.
- debian/libpam0g.postinst: the init script for 'samba' is now named
'smbd' in Ubuntu, so fix the restart handling.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/patches-applied/series: Ubuntu patches are as below ...
- debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
- debian/patches-applied/pam_motd-legal-notice: display the contents of
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
for update-motd, with some best practices and notes of explanation.
- debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
to update-motd(5)
- debian/local/common-session{,-noninteractive}: Enable pam_umask by
default, now that the umask setting is gone from /etc/profile.
- debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
- Build-depend on libfl-dev in addition to flex, for cross-building
support.
- Add /usr/local/games to PATH. LP: #110287.
pam (1.1.3-8) unstable; urgency=low
* Confirm NMU for bug #611136; thanks to Michael Gilbert.
- As a side effect, there will no longer be errors from reading the
.pam_environment twice since we are now reading it 0 times.
LP: #955032.
* Adjust the pam_env documentation to match the module behavior resulting
from the previous security upload. Closes: #693995.
* debian/rules: never regenerate manpages at build time; this may cause
build skew that breaks the world in a multiarch context. LP: #1095887.
* debian/patches-applied/glibc-2_16-compilation-fix.patch: fix missing
include causing build failure with eglibc 2.16. Thanks to Daniel
Schepler <dschepler at gmail.com>. Closes: #693450.
* Ditch autoconf patch in favor of a build-dependency on dh-autoreconf,
which will let us keep up-to-date with newer autotools. In the present
instance, this gets us aarch64 support.
* Install pam_timestamp_check - and while we're at it, move the manpage
to the correct binary package. Closes: #648695.
* Update lintian overrides to suppress some noise about hardening and
manpages.
* Enable audit support, by popular demand. This should have no major
impact unless you're also running auditd; but I reserve the right to
disable this again in the event that this causes a performance hit or
breaks upgrades (since the dependency is pulled into libpam, not just
into pam_tty_audit). Closes: #699159, LP: #937005.
pam (1.1.3-7.1) unstable; urgency=low
* Non-maintainer upload.
* Fix cve-2010-4708: user-configurable .pam_environment allows
administrator-level changes without root access (closes: #611136).
-- Steve Langasek <steve.langasek at ubuntu.com> Mon, 11 Feb 2013 22:08:44 -0800
** Changed in: pam (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/955032
Title:
pam environment duplicate path directories since it is called without
user_readenv=0
Status in “pam” package in Ubuntu:
Fix Released
Bug description:
I am trying to set my Environment variables through the procedure
described in: https://help.ubuntu.com/community/EnvironmentVariables
(BTW, that page states that ~/.pam_environment: "It is not a script
file, but rather consists of assignment expressions, one per line.",
which is misleading since it allows one believe that the syntax is the
same as of /etc/environment file, which is not tru. ~/.pam_environment
uses the pam_env.conf syntax, as specified here:
http://manpages.ubuntu.com/manpages/natty/man5/pam_env.conf.5.html)
However, back to the bug: basically, I added (prepended) some
directory to the ${PATH} variable inside my .pam_environment file and
that folder was duplicated in the final PATH variable.
The reason is that (see also: http://superuser.com/questions/135730
/why-do-i-get-duplicated-entries-in-my-path) the user_readenv=0
parameter is not specified in the lines where pam_env.so is called
inside *all* the files in /etc/pam.d
Basically, after creating my .pam_environment file, I had to go inside
/etc/pam.d and to scan all files and to add the "user_readenv=0"
parameter to every line where "pam_env.so envfile=/etc/default/locale"
was encountered.
For example, in "cron" file, I had to change:
session required pam_env.so envfile=/etc/default/locale
into:
session required pam_env.so envfile=/etc/default/locale
user_readenv=0
and this goes the same for all other files inside /etc/pam.d/ folder
that contain the line "pam_env.so envfile=/etc/default/locale"
That's annoying. Please update those files to contain, by default,
"user_readenv=0", to avoid duplicate folders when setting $PATH
through the .pam_environment file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/955032/+subscriptions
More information about the foundations-bugs
mailing list