[pam] Module pam_env does not unset environment variables

Bug #1599069 reported by Cade Forester on 2016-07-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)

Bug Description

Architecture: amd64
Date: 2016-07-05T07:10:34,326215642+0000 (printed by command "date --utc --iso-8601=ns")
DistroRelease: Ubuntu 14.04
Package: libpam-modules 1.1.8-1ubuntu2.2
PackageArchitecture: amd64
SourcePackage: pam
Uname: Linux 3.16.0-53-generic x86_64

Steps to reproduce.

1. Edit some files.

   Shell command:
      cat /etc/security/pam_env.conf

   Output of last shell command:
      TEST__SET_ME DEFAULT="value set successfully"

   Shell command:
      cat /etc/pam.d/su

   Output of last shell command:
      auth sufficient pam_rootok.so
      session required pam_env.so readenv=1 debug
      # /etc/pam.d/common-auth
      auth [success=1 default=ignore] pam_unix.so nullok_secure
      auth requisite pam_deny.so
      auth required pam_permit.so
      auth optional pam_ecryptfs.so unwrap
      auth optional pam_cap.so
      # /etc/pam.d/common-account
      account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
      account requisite pam_deny.so
      account required pam_permit.so
      # /etc/pam.d/common-session
      session [default=1] pam_permit.so
      session requisite pam_deny.so
      session required pam_permit.so
      session optional pam_umask.so
      session required pam_unix.so
      session optional pam_ecryptfs.so unwrap
      session optional pam_ck_connector.so nox11

2. Run shell commands:
      env --ignore-environment sh
      export TEST__CLEAR_ME="variable not cleared"
      export TEST__UNSET_ME="variable still set"
      su --command env | grep TEST__

   Type root password.

   Output of last shell command:
      TEST__UNSET_ME=variable still set
      TEST__SET_ME=value set successfully

   Related syslog output:
      su[11338] Successful su for root by local_user
      su[11338] + /dev/pts/0 local_user:root
      su[11338] pam_env(su:session): pam_putenv("TEST__ SET_ME=value set successfully")
      su[11338] pam_env(su:session): pam_putenv("TEST__ CLEAR_ME=")
      su[11338] pam_env(su:session): remove variable "TEST__UNSET_ME"
      su[11338] pam_env(su:session): pam_putenv: delete non-existent entry; TEST__UNSET_ME
      su[11338] pam_env(su:session): pam_putenv("PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin")
      su[11338] pam_unix(su:session): session opened for user root by local_user(uid=1000)
      su[11338] pam_unix(su:session): session closed for user root

Actual result:
environment variable
not unset.

Expected result:
unset environment variable

- pam module "pam_env.so"
  does not unset environment variables;
- man page pam_env(8) describe,
  what module can
  unset environment variables,
  but does not describe,
  how to do that
  (answer found in
  line 472).

Cade Forester (ahx2323) on 2016-07-05
affects: ubuntu → pam (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers