On Fri, Jan 25, 2013 at 02:30:03PM +0900, Morita Sho wrote: > After some investigations, I noticed the patch > pam-1.1.3/debian/patches-applied/cve-2011-4708.patch changes the default > value of DEFAULT_USER_READ_ENVFILE to 0. It makes the option user_readenv > to be disabled by default and stops reading ~/.pam_environment.
> It is inconsistent with the documentations and the manpage of pam_env as > they described ~/.pam_environment will be read by default. Yes. The documentation needs to be fixed. > Upstream applied the same patch on 2010-10-11[2] so that set > DEFAULT_USER_READ_ENVFILE to 0, but the change has immediately been > reverted[3]. And DEFAULT_USER_READ_ENVFILE is still 1 in the latest > version[4]. > [1] https://security-tracker.debian.org/tracker/CVE-2010-4708 > [2] > http://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_env/pam_env.c?id=4c430f6f8391555bb1b7b78991afb20d35228efc > [3] > http://git.fedorahosted.org/cgit/linux-pam.git/commit/modules/pam_env/pam_env.c?id=f4aba7f47b87984fda3c5533b03b08a85e4ce81b > [4] > http://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_env/pam_env.c Correct, but this is only because I've failed to follow through on it upstream. There is a consensus now that this should default to 0. > Ubuntu seems to decided to keep DEFAULT_USER_READ_ENVFILE unchanged, i.e. > enabled by default[5]. > [5] http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-4708.html Incorrect. The only decision was to not change the behavior in a stable release update. The next update of pam in Ubuntu will include this change. > I know the current behaviour can be changed so that pam_env will read > ~/.pam_environment by modifying the files in /etc/pam.d/*. The > modification to let pam_env to read ~/.pam_environment can be made with > the following command: > # sed -i 's/pam_env.so.*/& user_readenv=1/' /etc/pam.d/* > But it would be useful and convenient if ~/.pam_environment is read by > default. FYI, Ubuntu recommended to use ~/.pam_environment to set > per-user environment variables[6]. And that's the reason that it was not changed in Ubuntu in a stable update. But it's still a security issue, which in the long term should be addressed by disabling userenv by default. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [email protected] [email protected]
signature.asc
Description: Digital signature

