Bug#761600: sshd.pam: reads env variables from user file

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#761600: sshd.pam: reads env variables from user file
From: Jakub Wilk <jwilk@debian.org>
Date: Sun, 14 Sep 2014 23:46:58 +0200
Message-id: <[🔎] 20140914214658.GA6164@jwilk.net>
Reply-to: Jakub Wilk <jwilk@debian.org>, 761600@bugs.debian.org

Source: openssh
Version: 1:6.6p1-7
Severity: important
Tags: security

A few years ago CVE-2010-4708 was assigned to pam:

The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the.pam_environment file in a user's home directory, which might allowlocal users to run programs with an unintended environment by executinga program that relies on the pam_env PAM check.


This was fixed in pam by disabling user_readenv by default.
However, sshd.pam explicitly sets user_readenv=1.

user_readenv=1 might allow bypassing access restrictions (such as usershell set to /usr/bin/rssh) even when PermitUserEnvironment is disabled.


--
Jakub Wilk

Reply to:

Prev by Date: Si può fare
Next by Date: Bug#751636: openssh-server: ssh sessions are not cleanly termined on shutdown/restart with systemd
Previous by thread: Si può fare
Next by thread: Bug#751636: openssh-server: ssh sessions are not cleanly termined on shutdown/restart with systemd
Index(es):
- Date
- Thread