(sorry for re-sending, but seems the Debian BTS doesn't like my other mail address o.O)
CCing pam maintainers for their opinion on whether this could be don in PAM's common-session config, for the benefit of all. On Thu, 2022-04-07 at 09:14 +0200, Yves-Alexis Perez wrote: > > May I split these up again? > > You can Done. > but to be honest I'm unsure (and relecutant) about changing PAM > configuration. I'd like to avoid breaking stuff in the authentication > path so > having a review of how correct these changes are would be nice. Uhm... isn't that what we have unstable for? I mean it wouldn't really help now, if I said, something works for me, cause PAM is rather complex and any other people could just see issues with it. But that change seems pretty non-invasive, doesn't it? I mean someone would have needed to create a user env file with broken settings to actually break something. So I'd say the "broken" setup is rather when someone created that file and it's not considered. > The bug asks for adding: > > > auth required pam_env.so user_readenv=1 > > to /etc/pam.d/login. Uhm... my understanding was that his is used by login(1) (only?)... i.e. if one log in via login on the Linux console. So it's needed there, too, for which I've reported #989919 a while ago. > I guess it'd fit more in: > > > session > > this module type is associated with doing things that need to > > be > > done for the user before/after they can be given service. Such > > things include the logging of information concerning the > > opening/closing of some data exchange with a user, mounting > > directories, etc. I guess so,... and that's also what most in my: /etc/pam.d$ grep -R user_ sshd:session required pam_env.so user_readenv=1 envfile=/etc/default/locale polkit-1:session required pam_env.so readenv=1 user_readenv=0 polkit-1:session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 do, except for: atd:auth required pam_env.so user_readenv=1 > And the file already contains: > > > # Load environment from /etc/environment and ~/.pam_environment > > session required pam_env.so readenv=1 > > session required pam_env.so readenv=1 > > envfile=/etc/default/locale > > So it'd be a matter of adding user_readenv=1. Yes, but that's for login(1) again, isn't it?! > But to be honest, the PAM modifications for lightdm come from gdm3 > package and > I'm again reluctant to deviate from that, and GDM3 doesn't set > user_readenv. Well ideally *all* means of actually logging in should set this so that the user gets a uniform "experience". And I guess somewhere one needs to start ^^ > Finally, the PAM configuration file has > > > @include common-session > > so I guess one could reconfigure pam to include user_readenv or > something. Well would seem like an even better place... though also one where people even less likely to change something. Right now at least the situation is quite unfortunate, as there is no proper way (without manually changing the PAM config) for a user to set his PATH.... other than ugly hacks (.profile and .bash* are only sourced by Bourne-shell compatible shells respectively bash...) Thanks, Chris.
