/bin/sh illegal option -p when using pam_namespace.so

Bug #1081323 reported by Scott Duckworth on 2012-11-20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pam (Debian)
Fix Released
pam (Ubuntu)

Bug Description

When PAM is configured to use pam_namespace.so, something, presumably PAM, emits the line "/bin/sh: 0: Illegal option -p" once for every entry defined in /etc/security/namespace.conf. Switching /bin/sh from dash to bash using dpkg-reconfigure dash avoids the problem.

I have seen this problem when authenticating with login, sudo, and su, but not with ssh (sshd is configured with UsePAM yes).

Is it possible that pam_namespace.so is making the assumption that /bin/sh is implemented by bash?

Steve Langasek (vorlon) wrote :

This comes from the /etc/security/namespace.init file. Feel free to edit the file to be correct, changes will be preserved on upgrade. If you get this working to your satisfaction, patches will be welcome.

Changed in pam (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in pam (Debian):
status: Unknown → New

The attached patch removes the -p option from the shebang line of /etc/security/namespace.init and fixes this bug. The effect of the -p option with bash is to not reset the effective UID to match the real UID if they are different, but this is the default behavior if bash is invoked as /bin/sh. Similarly, this is also the default if dash is invoked as /bin/sh. So the -p option is extraneous in the first place and causes warnings if dash is being used for /bin/sh.

Changed in pam (Debian):
status: New → Confirmed
Changed in pam (Debian):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.7 KiB)

This bug was fixed in the package pam - 1.1.8-3.6ubuntu1

pam (1.1.8-3.6ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable.
    - Fixes unescaped brace in pam_getenv regex. LP: #1538284.
    - Fixes pam_namespace defaults for compatibility with dash. LP: #1081323.
  * Remaining changes:
    - debian/control: have libpam-modules recommend update-motd package
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - debian/libpam0g.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/libpam0g.postinst: the init script for 'samba' is now named
      'smbd' in Ubuntu, so fix the restart handling.
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix's explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
    - debian/patches-applied/extrausers.patch: Add a pam_extrausers module
      that is basically just a copy of pam_unix but looks at
      /var/lib/extrausers/{group,passwd,shadow} instead of /etc/
    - debian/libpam-modules-bin.install: install the helper binaries for
      pam_extrausers to /sbin
    - debian/rules: Make pam_extrausers_chkpwd sguid shadow
    - pam-configs/mkhomedir: Added a config for pam_mkhomedir, disabled
      by default.
    - don't notify about xdm restarts during a release-upgrade
    - debian/patches-applied/cve-2015-3238.patch: removed manpage changes
      so they don't get regenerated during build and cause a multiarch
      installation issue.
  * Dropped changes, included in Debian:
    - Build-depend on libfl-dev.
    - debian/patches-applied/pam-limits-nofile-fd-setsize-cap: cap the default
      soft nofile limit read from pid 1 to FD_SETSIZE.
  * Fix references to /var/run in update-motd.5. LP: #1571864
  * Fix service restart handling to integrate with systemd instead of

pam (1.1.8-3.6) unstable; urgency=medium

  * Non-maintainer upload.
  * cve-2015-3238.patch: Add the changes in the generated pam_exec.8
    and pam_unix.8 in addi...


Changed in pam (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.