[Merge] lp:~kirkland/pam/update-motd-now into lp:~ubuntu-core-dev/pam/ubuntu

[Dustin Kirkland ]

On Tue, Jan 28, 2014 at 7:39 AM, Steve Langasek
<steve.langasek at canonical.com> wrote:
> Hi Dustin,
>
>> Well, I'm trying to mimic the same behavior we have in pam_motd.c itself.
>
> That behavior is in the context of a command being spawned from a PAM module; defensive environment sanitizing is a strict requirement here.  I'm not convinced it makes sense to use the same technique in a shell script that will be called directly by an administrator.  There's clearly not a security rationale for calling env -i in that case.  Are you concerned that not cleaning the environment will result in inconsistent behavior between the module and the script in a legitimate configuration?

That was my original goal -- to generate a perfect match of the MOTD,
whether generated by /usr/sbin/update-motd or pam_motd, and this
seemed to be the obvious way to do that.

That said, I don't care that much, and hate to see this blocking the
acceptance of the functionality.  So I've made that change, and pushed
the changes to lp:~kirkland/pam/update-motd-now

-- 
https://code.launchpad.net/~kirkland/pam/update-motd-now/+merge/202896
Your team Ubuntu Core Development Team is subscribed to branch lp:~ubuntu-core-dev/pam/ubuntu.