[Bug 1302349] Re: pam_env applies user_envfile twice

Fri Apr 4 12:20:28 UTC 2014

Thank you for taking the time to report this bug and helping to make
Ubuntu better.

This sounds reasonable to me. I wondered about /etc/skel/.profile, which
also prepends ~/bin, but I think this is a red herring since in your
case you aren't getting a login shell, and I verified this on my machine
with "ssh localhost echo '$PATH'" not including ~/bin on my system,
where I haven't added a ~/.pam_environment as you have.

So as far as I can tell, this is a valid bug, and should be fixed as you
have proposed. I'm not confident enough in my own understanding to push
for this myself though; I'd like to hear a second opinion from Colin or
someone.

Setting Importance: Medium as a workaround is available.

** Changed in: openssh (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1302349

Title:
  pam_env applies user_envfile twice

Status in “openssh” package in Ubuntu:
  New

Bug description:
  I originally noticed this on Ubuntu 12.04 with 1:5.9p1-5ubuntu1.2, but
  judging from the sources it seems to be in 1:6.6p1-2 as well.

  I added to ~/.pam_environment

  PATH DEFAULT=/home/user/bin:${PATH}

  When I ssh into the machine it gives the prepended path twice:

  $ ssh localhost echo '$PATH'
  /home/user/bin:/home/user/bin:...

  I'd expect it prepend the path only once.

  The latest sources ( ~ubuntu-branches/ubuntu/trusty/openssh/trusty :
  /debian/openssh-server.sshd.pam (revision 3264)) contains this:

  # Read environment variables from /etc/environment and
  # /etc/security/pam_env.conf.
  auth       required     pam_env.so # [1]
  # In Debian 4.0 (etch), locale-related environment variables were moved to
  # /etc/default/locale, so read that as well.
  auth       required     pam_env.so envfile=/etc/default/locale

  pam_env loads always first conffile (default
  /etc/security/pam_env.conf), and then by default envfile
  (/etc/environment) which is in different syntax than the two other and
  third the user_envfile (~/.pam_environment). Both of these pam_env
  lines then load the same conffile an user_envfile.

  If you need to load a fourth configuration file, you can do it without
  loading the conffile and user_envfile twice by having these two lines:

  auth       required     pam_env.so
  auth       required     pam_env.so conffile=/dev/null envfile=/etc/default/locale user_readenv=0

  The first line reads the three default files and the second line reads
  only the envfile that is changed from the default.

  I verified this fix works on Ubuntu 12.04.

  This bug seems to be in most other packages as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1302349/+subscriptions