Bug#784158: Missing pam_env.so user_readenv=1 in the pam file
Hey.
I should add, that there was:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611136
which is about a security hole that involved reading the user specific
environment file.
I couldn't find any in-depth analysis of that or some definite
information on whether this was fixed or not.
Cause in principle, if done right of course, it would sound strange if
this could be used for an attack, when any user could also just set
such vars in .profile/etc. .
Also, e.g. Debian's /etc/pam.d/sshd would still read the user env file
per default (so wouldn't that be affected from any security hole, too?)
See perhaps also:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989919#20
Thanks,
Chris.
Reply to: