Christian Kurz
2000-Dec-28 07:32 UTC
sshd and pam_env both read /etc/environment, but assume different syntax
Morning, and that's the next bugreport that I have to forward you, because the fix should be applied in the upstream sources. Thanks.> sshd (in ssh 1:1.2.3-9) in its default configuration reads > /etc/environment file twice when a user logs in: first, it is > read through pam_env module of PAM (due to the configuration > in /etc/pam.d/ssh), and then by `read_environment_file()' > function of `sshd.c' itself.> The real problem is that the syntax of /etc/environment > assumed by these are slightly different (as of pam-modules > 0.72-9 and ssh 1:1.2.3-9); for example, pam_env supports > Bourne shell-like `export' prefix and quoting (surrounding > quotes are removed), which are not handled by sshd.c.> It follows that the resulting environments may be different > between ssh and normal login, as the latter relies only upon > pam_env for setting up the system-wide default environment.> For consistency, it would be nice if the reading of > /etc/environment is solely handled via pam_env in sshd as well, > just like normal login process. > I'm attaching below a small patch against sshd.c for this purpose.> Even if the ssh maintainer somehow does not like changing the > current situation, the manpage of sshd should mention that > the file /etc/environment is used for setting up the ``basic > environment,'' at the least. The present manpage only tells us > $HOME/.ssh/environment is consulted, which gives the users wrong > impression that /etc/environment takes effect only because > /etc/pam.d/ssh has `pam_env' line (and it does not haev `readenv=0' > option).> I asked him now if this bug is still true for newer version and he > confirmed that in 2.2.0p1 the bug is still existing and send a fix:> If you mean (open)ssh 1:2.2.0p1-1.1, yes, it still suffers > from the same problem.> The relevant code is now around line 1116 of openssh-2.2.0p1/session.c.> ---8<---8<--- > #ifdef USE_PAM > /* Pull in any environment variables that may have been set by PAM. */ > do_pam_environment(&env, &envsize); > #endif /* USE_PAM */> read_environment_file(&env,&envsize,"/etc/environment"); > ---8<---8<---> The function do_pam_environment() incorporates all the variables defined > by pam_env, but those defined in /etc/environment are later overriden by > read_environment_file() function.> They produce different results if the value of a variable had > quotes or `#' character in it, or if the definition was prefixed with > `export'. > It's easy to see how sshd sets environment by starting sshd with -d flag.> I think the problem (in part, if not all) comes from the lack of > policy in Debian on the use (and the format) of /etc/environment file.So would you agree that this is a valid bug that should be fixed or do you also think that this is a flaw in debian? Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 242 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001228/2879eced/attachment.bin
Reasonably Related Threads
Wisdom of the Ancients
