sshd and pam_env both read /etc/environment, but assume different syntax
Christian Kurz
shorty at debian.org
Thu Dec 28 18:32:28 EST 2000
Morning,
and that's the next bugreport that I have to forward you, because the
fix should be applied in the upstream sources. Thanks.
> sshd (in ssh 1:1.2.3-9) in its default configuration reads
> /etc/environment file twice when a user logs in: first, it is
> read through pam_env module of PAM (due to the configuration
> in /etc/pam.d/ssh), and then by `read_environment_file()'
> function of `sshd.c' itself.
> The real problem is that the syntax of /etc/environment
> assumed by these are slightly different (as of pam-modules
> 0.72-9 and ssh 1:1.2.3-9); for example, pam_env supports
> Bourne shell-like `export' prefix and quoting (surrounding
> quotes are removed), which are not handled by sshd.c.
> It follows that the resulting environments may be different
> between ssh and normal login, as the latter relies only upon
> pam_env for setting up the system-wide default environment.
> For consistency, it would be nice if the reading of
> /etc/environment is solely handled via pam_env in sshd as well,
> just like normal login process.
> I'm attaching below a small patch against sshd.c for this purpose.
> Even if the ssh maintainer somehow does not like changing the
> current situation, the manpage of sshd should mention that
> the file /etc/environment is used for setting up the ``basic
> environment,'' at the least. The present manpage only tells us
> $HOME/.ssh/environment is consulted, which gives the users wrong
> impression that /etc/environment takes effect only because
> /etc/pam.d/ssh has `pam_env' line (and it does not haev `readenv=0'
> option).
> I asked him now if this bug is still true for newer version and he
> confirmed that in 2.2.0p1 the bug is still existing and send a fix:
> If you mean (open)ssh 1:2.2.0p1-1.1, yes, it still suffers
> from the same problem.
> The relevant code is now around line 1116 of openssh-2.2.0p1/session.c.
> ---8<---8<---
> #ifdef USE_PAM
> /* Pull in any environment variables that may have been set by PAM. */
> do_pam_environment(&env, &envsize);
> #endif /* USE_PAM */
> read_environment_file(&env,&envsize,"/etc/environment");
> ---8<---8<---
> The function do_pam_environment() incorporates all the variables defined
> by pam_env, but those defined in /etc/environment are later overriden by
> read_environment_file() function.
> They produce different results if the value of a variable had
> quotes or `#' character in it, or if the definition was prefixed with
> `export'.
> It's easy to see how sshd sets environment by starting sshd with -d flag.
> I think the problem (in part, if not all) comes from the lack of
> policy in Debian on the use (and the format) of /etc/environment file.
So would you agree that this is a valid bug that should be fixed or do
you also think that this is a flaw in debian?
Ciao
Christian
--
Debian Developer and Quality Assurance Team Member
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 242 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001228/2879eced/attachment.bin
More information about the openssh-unix-dev
mailing list