Bug#784158: Missing pam_env.so user_readenv=1 in the pam file

To: Christoph Anton Mitterer <calestyo@scientia.org>
Cc: 784158@bugs.debian.org
Subject: Bug#784158: Missing pam_env.so user_readenv=1 in the pam file
From: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 07 Apr 2022 09:14:37 +0200
Message-id: <[🔎] 7ab8dcc4901625f8ebbdb924c98a2748fc381e5f.camel@debian.org>
Reply-to: Yves-Alexis Perez <corsac@debian.org>, 784158@bugs.debian.org
In-reply-to: <2129b4adc86f095c410bc2e067fe8fb3f31cd60b.camel@scientia.org>
References: <2129b4adc86f095c410bc2e067fe8fb3f31cd60b.camel@scientia.org> <20150503155113.2075.71745.reportbug@realjessie.home>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 2022-04-07 at 05:59 +0200, Christoph Anton Mitterer wrote:
> You've set wontfix on #672793 some longer time ago, but AFAIU, this was
> because of some user's request to have lightdm source .profile (which
> is IMO indeed plain wrong).

Indeed.

> 
> Later on #784158 was forcemerged with these... (and thus also marked
> wontfix).
> 
> Why so?

Because (I guess) the original #784158 message was about .profile as well.
> 
> #784158 is a completely different request, namely to modify lightdm's
> PAM config to allow users to have an env file parsed.

That happened later in the bug log and I might have missed it indeed.

> May I split these up again?

You can, but to be honest I'm unsure (and relecutant) about changing PAM
configuration. I'd like to avoid breaking stuff in the authentication path so
having a review of how correct these changes are would be nice.

The bug asks for adding:

> auth      required pam_env.so user_readenv=1

to /etc/pam.d/login.

I don't think 'auth' is the correct place since pam.d(5) says:

> auth
>     this module type provides two aspects of authenticating the user.
>     Firstly, it establishes that the user is who they claim to be, by
>     instructing the application to prompt the user for a password or
>     other means of identification. Secondly, the module can grant group
>     membership or other privileges through its credential granting
>     properties.
> 


I guess it'd fit more in:

> session
>     this module type is associated with doing things that need to be
>     done for the user before/after they can be given service. Such
>     things include the logging of information concerning the
>     opening/closing of some data exchange with a user, mounting
>     directories, etc.
> 

And the file already contains:

> # Load environment from /etc/environment and ~/.pam_environment
> session      required pam_env.so readenv=1
> session      required pam_env.so readenv=1 envfile=/etc/default/locale

So it'd be a matter of adding user_readenv=1.

But to be honest, the PAM modifications for lightdm come from gdm3 package and
I'm again reluctant to deviate from that, and GDM3 doesn't set user_readenv.

Finally, the PAM configuration file has 

> @include common-session

so I guess one could reconfigure pam to include user_readenv or something.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmJOj10ACgkQ3rYcyPpX
RFtSFQgA5tRHtzYoo0vCcKgGFkHux4/5di3/kOLS1IbZzNS3IW7//lYOTQz5svJZ
VD3cllG7OvTxb7LgiQ9RjdsXURMYpxFPls4dj+B1a5t2Yy3Aj4THgGPSTTeExRx0
sMGncRkDMtfb13S+gA/Ojrj3zkk1TXFSWvGi3AJIqRjdnREsm/tR2DQyvflP3SG1
IOmSSWagWBxo7nG7JXf5gixfTdCMDVkPPJ5TTZuud04eOL1FHocjakjc6j5o/xMb
SsWZbx24eWja4AnVkksgVByUY3y3j7HoxKoomtpTWtqMosN+625qAKC1Mq2MDNxb
X/ITrn31x1JbOA6Qrx+xBV7TeOQf/A==
=/m/P
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Bug#784158: Missing pam_env.so user_readenv=1 in the pam file
  - From: Christoph Anton Mitterer <calestyo@scientia.org>

Prev by Date: xfce4-panel-profiles_1.0.13-1_amd64.changes ACCEPTED into unstable, unstable
Next by Date: Processed: Re: Bug#784158: Missing pam_env.so user_readenv=1 in the pam file
Previous by thread: xfce4-panel-profiles_1.0.13-1_amd64.changes ACCEPTED into unstable, unstable
Next by thread: Bug#784158: Missing pam_env.so user_readenv=1 in the pam file
Index(es):
- Date
- Thread