On Fri, Jan 25, 2013 at 02:30:03PM +0900, Morita Sho wrote:

> After some investigations, I noticed the patch
> pam-1.1.3/debian/patches-applied/cve-2011-4708.patch changes the default
> value of DEFAULT_USER_READ_ENVFILE to 0.  It makes the option user_readenv
> to be disabled by default and stops reading ~/.pam_environment.

> It is inconsistent with the documentations and the manpage of pam_env as
> they described ~/.pam_environment will be read by default.

Yes.  The documentation needs to be fixed.

> Upstream applied the same patch on 2010-10-11[2] so that set
> DEFAULT_USER_READ_ENVFILE to 0, but the change has immediately been
> reverted[3].  And DEFAULT_USER_READ_ENVFILE is still 1 in the latest
> version[4].

> [1] https://security-tracker.debian.org/tracker/CVE-2010-4708
> [2] 
> http://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_env/pam_env.c?id=4c430f6f8391555bb1b7b78991afb20d35228efc
> [3] 
> http://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_env/pam_env.c?id=f4aba7f47b87984fda3c5533b03b08a85e4ce81b
> [4] 
> http://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_env/pam_env.c

Correct, but this is only because I've failed to follow through on it
upstream.  There is a consensus now that this should default to 0.

> Ubuntu seems to decided to keep DEFAULT_USER_READ_ENVFILE unchanged, i.e.
> enabled by default[5].

> [5] http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-4708.html

Incorrect.  The only decision was to not change the behavior in a stable
release update.  The next update of pam in Ubuntu will include this change.

> I know the current behaviour can be changed so that pam_env will read
> ~/.pam_environment by modifying the files in /etc/pam.d/*.  The
> modification to let pam_env to read ~/.pam_environment can be made with
> the following command:

>   # sed -i 's/pam_env.so.*/& user_readenv=1/' /etc/pam.d/*

> But it would be useful and convenient if ~/.pam_environment is read by
> default.  FYI, Ubuntu recommended to use ~/.pam_environment to set
> per-user environment variables[6].

And that's the reason that it was not changed in Ubuntu in a stable update.
But it's still a security issue, which in the long term should be addressed
by disabling userenv by default.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
[email protected]                                     [email protected]

Attachment: signature.asc
Description: Digital signature

Reply via email to