PrivSep and PAM environment variable setting
Chris Adams
cmadams at hiwaay.net
Sun Mar 12 05:51:53 EST 2006
Once upon a time, Darren Tucker <dtucker at zip.com.au> said:
> On Fri, Mar 10, 2006 at 09:51:45AM -0600, Chris Adams wrote:
> > I'm trying to use the PAM "pam_mail.so" module on Linux to set the MAIL
> > environment variable (so I don't have to try to do it in various shell
> > init scripts), but the MAIL setting doesn't get passed through unless I
> > disable PrivilegeSeparation.
> >
> > Is there a way to have PAM set environment variables when PrivSep is
> > enabled?
>
> I think it should work. What version of OpenSSH and LinuxPAM are you
> using, and what does the PAM config file look like?
I started out on a RHEL system with:
pam-0.77-66.11
openssh-3.9p1-8.RHEL4.9
and then tried on a FC rawhide (essentially FC5 at this point) system
with:
pam-0.99.3.0-2
openssh-4.3p2-4
I added the line:
auth required /lib/security/$ISA/pam_mail.so hash=2
to /etc/pam.d/system-auth right after the pam_env.so line (on the FC5
system I left out the "/lib/security/$ISA/" as that was how the other
entries were written).
I had to comment out the setting of MAIL in /etc/profile (or that
overrides anything OpenSSH or PAM set).
Hmm, it appears to be a problem specific to pam_mail.so. If I configure
pam_env.so to change MAIL to "xyzzy", it works. I guess I'll have to
dig at that some more.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the openssh-unix-dev
mailing list