On Sat, Apr 09, 2022 at 06:41:47PM +0200, Christoph Anton Mitterer wrote: > On Sat, 2022-04-09 at 08:20 -0500, Serge E. Hallyn wrote: > > I wonder whether it was disabled > > for security reasons? Is there a debian bug referring to that? > > Hmm could be this... > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136 > > Though I don't quite understand what the attack actually is (or whether > it was fixed - and if there is no real fix, why the pam manpages still > don't warn from that option), since any user could just set any var in > his .bashrc or so....
Based on https://www.openwall.com/lists/oss-security/2010/09/27/7 I think the concern was that the user's env file was being read while fsuid was still root. I see patches fixing it in pam itself, so I don't think the default workaround is needed. Now, arguably, it is a hairy bit of code, and so defaulting to not reading it while allowing sites to override is conservative. I guess someone should do another code review of at least pam_env. _______________________________________________ Pkg-shadow-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
