Bug#784158: Missing pam_env.so user_readenv=1 in the pam file
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, 2022-04-07 at 05:59 +0200, Christoph Anton Mitterer wrote:
> You've set wontfix on #672793 some longer time ago, but AFAIU, this was
> because of some user's request to have lightdm source .profile (which
> is IMO indeed plain wrong).
Indeed.
>
> Later on #784158 was forcemerged with these... (and thus also marked
> wontfix).
>
> Why so?
Because (I guess) the original #784158 message was about .profile as well.
>
> #784158 is a completely different request, namely to modify lightdm's
> PAM config to allow users to have an env file parsed.
That happened later in the bug log and I might have missed it indeed.
> May I split these up again?
You can, but to be honest I'm unsure (and relecutant) about changing PAM
configuration. I'd like to avoid breaking stuff in the authentication path so
having a review of how correct these changes are would be nice.
The bug asks for adding:
> auth required pam_env.so user_readenv=1
to /etc/pam.d/login.
I don't think 'auth' is the correct place since pam.d(5) says:
> auth
> this module type provides two aspects of authenticating the user.
> Firstly, it establishes that the user is who they claim to be, by
> instructing the application to prompt the user for a password or
> other means of identification. Secondly, the module can grant group
> membership or other privileges through its credential granting
> properties.
>
I guess it'd fit more in:
> session
> this module type is associated with doing things that need to be
> done for the user before/after they can be given service. Such
> things include the logging of information concerning the
> opening/closing of some data exchange with a user, mounting
> directories, etc.
>
And the file already contains:
> # Load environment from /etc/environment and ~/.pam_environment
> session required pam_env.so readenv=1
> session required pam_env.so readenv=1 envfile=/etc/default/locale
So it'd be a matter of adding user_readenv=1.
But to be honest, the PAM modifications for lightdm come from gdm3 package and
I'm again reluctant to deviate from that, and GDM3 doesn't set user_readenv.
Finally, the PAM configuration file has
> @include common-session
so I guess one could reconfigure pam to include user_readenv or something.
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmJOj10ACgkQ3rYcyPpX
RFtSFQgA5tRHtzYoo0vCcKgGFkHux4/5di3/kOLS1IbZzNS3IW7//lYOTQz5svJZ
VD3cllG7OvTxb7LgiQ9RjdsXURMYpxFPls4dj+B1a5t2Yy3Aj4THgGPSTTeExRx0
sMGncRkDMtfb13S+gA/Ojrj3zkk1TXFSWvGi3AJIqRjdnREsm/tR2DQyvflP3SG1
IOmSSWagWBxo7nG7JXf5gixfTdCMDVkPPJ5TTZuud04eOL1FHocjakjc6j5o/xMb
SsWZbx24eWja4AnVkksgVByUY3y3j7HoxKoomtpTWtqMosN+625qAKC1Mq2MDNxb
X/ITrn31x1JbOA6Qrx+xBV7TeOQf/A==
=/m/P
-----END PGP SIGNATURE-----
Reply to: