[Bug 1302349] Re: pam_env applies user_envfile twice

Wed Apr 9 12:58:12 UTC 2014

Than you for the thanks. I think we should figure this thing out
properly before creating a lot of tasks. Simple grep pam_env
/etc/pam.d/* reveals some packages, but not all. Is there a database
which packages provide which files?

I think that instead of what I proposed first, it would be better to
have these two lines:

auth required pam_env.so user_readenv=0
auth required pam_env.so conffile=/dev/null envfile=/etc/default/locale

Then the order of reading files would be

/etc/security/pam_env.conf
/etc/environment
/etc/default/locale
~/.pam_environment

What I first proposed would read the /etc/default/locale after
~/.pam_environment not allowing user to override the locale.

I tried to submit for linux-PAM an update on pam_env documentation. Lets
see how active they are. Better documentation should help here.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1302349

Title:
  pam_env applies user_envfile twice

Status in “openssh” package in Ubuntu:
  New

Bug description:
  I originally noticed this on Ubuntu 12.04 with 1:5.9p1-5ubuntu1.2, but
  judging from the sources it seems to be in 1:6.6p1-2 as well.

  I added to ~/.pam_environment

  PATH DEFAULT=/home/user/bin:${PATH}

  When I ssh into the machine it gives the prepended path twice:

  $ ssh localhost echo '$PATH'
  /home/user/bin:/home/user/bin:...

  I'd expect it prepend the path only once.

  The latest sources ( ~ubuntu-branches/ubuntu/trusty/openssh/trusty :
  /debian/openssh-server.sshd.pam (revision 3264)) contains this:

  # Read environment variables from /etc/environment and
  # /etc/security/pam_env.conf.
  auth       required     pam_env.so # [1]
  # In Debian 4.0 (etch), locale-related environment variables were moved to
  # /etc/default/locale, so read that as well.
  auth       required     pam_env.so envfile=/etc/default/locale

  pam_env loads always first conffile (default
  /etc/security/pam_env.conf), and then by default envfile
  (/etc/environment) which is in different syntax than the two other and
  third the user_envfile (~/.pam_environment). Both of these pam_env
  lines then load the same conffile an user_envfile.

  If you need to load a fourth configuration file, you can do it without
  loading the conffile and user_envfile twice by having these two lines:

  auth       required     pam_env.so
  auth       required     pam_env.so conffile=/dev/null envfile=/etc/default/locale user_readenv=0

  The first line reads the three default files and the second line reads
  only the envfile that is changed from the default.

  I verified this fix works on Ubuntu 12.04.

  This bug seems to be in most other packages as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1302349/+subscriptions