PAM session setup and environment variables

[Damien Miller]

On Thu, 19 Dec 2024, Dmitry V. Levin wrote:

> > We could potentially allow-list some variables, but I'd like to get
> > some input from people who (for example) maintain PAM for distributions
> > on what is acceptable.
> 
> With my Linux-PAM hat on, the most essential difference between the
> authenticated user code that currently gets the environment variables
> listed in AcceptEnv, and the PAM modules session code that currently
> doesn't get them, is that PAM modules session code is privileged, so extra
> care should be taken not to forward there accidentally any environment
> variables that could affect that privileged code in an unintended way.
> 
> While XDG_SESSION_CLASS and XDG_SESSION_TYPE variables mentioned by Michal
> are harmless, those LC_* variables AcceptEnv'ed in many default setups are
> also likely to be OK, allowing arbitrary variables listed in AcceptEnv
> could be risky given that some PAM session modules like pam_namespace and
> pam_exec invoke external executables and could be affected by e.g. LD_*
> variables.
> 
> If we're aiming for flexibility without sacrificing security, then a new
> sshd_config keyword (e.g. PAMSessionAcceptEnv) could be added to specify
> what is allowed to be forwarded to the PAM session modules.

Thanks for chiming in. How about we accept variables from a narrow allow-
list (XDG_SESSION_CLASS/TYPE, LC_*) for now and see how it goes?

-d