Ubuntu
openssh package

pam_env applies user_envfile twice

Bug #1302349 reported by Marko Kohtala
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
New
Medium
Unassigned

Bug Description

I originally noticed this on Ubuntu 12.04 with 1:5.9p1-5ubuntu1.2, but judging from the sources it seems to be in 1:6.6p1-2 as well.

I added to ~/.pam_environment

PATH DEFAULT=/home/user/bin:${PATH}

When I ssh into the machine it gives the prepended path twice:

$ ssh localhost echo '$PATH'
/home/user/bin:/home/user/bin:...

I'd expect it prepend the path only once.

The latest sources ( ~ubuntu-branches/ubuntu/trusty/openssh/trusty : /debian/openssh-server.sshd.pam (revision 3264)) contains this:

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

pam_env loads always first conffile (default /etc/security/pam_env.conf), and then by default envfile (/etc/environment) which is in different syntax than the two other and third the user_envfile (~/.pam_environment). Both of these pam_env lines then load the same conffile an user_envfile.

If you need to load a fourth configuration file, you can do it without loading the conffile and user_envfile twice by having these two lines:

auth required pam_env.so
auth required pam_env.so conffile=/dev/null envfile=/etc/default/locale user_readenv=0

The first line reads the three default files and the second line reads only the envfile that is changed from the default.

I verified this fix works on Ubuntu 12.04.

This bug seems to be in most other packages as well.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This sounds reasonable to me. I wondered about /etc/skel/.profile, which also prepends ~/bin, but I think this is a red herring since in your case you aren't getting a login shell, and I verified this on my machine with "ssh localhost echo '$PATH'" not including ~/bin on my system, where I haven't added a ~/.pam_environment as you have.

So as far as I can tell, this is a valid bug, and should be fixed as you have proposed. I'm not confident enough in my own understanding to push for this myself though; I'd like to hear a second opinion from Colin or someone.

Setting Importance: Medium as a workaround is available.

Changed in openssh (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Robie Basak (racb) wrote :

> This bug seems to be in most other packages as well.

Perhaps we need to figure out and validate which packages exactly, and create tasks for each of them?

Revision history for this message
Marko Kohtala (marko-kohtala) wrote :

Than you for the thanks. I think we should figure this thing out properly before creating a lot of tasks. Simple grep pam_env /etc/pam.d/* reveals some packages, but not all. Is there a database which packages provide which files?

I think that instead of what I proposed first, it would be better to have these two lines:

auth required pam_env.so user_readenv=0
auth required pam_env.so conffile=/dev/null envfile=/etc/default/locale

Then the order of reading files would be

/etc/security/pam_env.conf
/etc/environment
/etc/default/locale
~/.pam_environment

What I first proposed would read the /etc/default/locale after ~/.pam_environment not allowing user to override the locale.

I tried to submit for linux-PAM an update on pam_env documentation. Lets see how active they are. Better documentation should help here.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.