FS#68945 : [at][gdm][pambase] user

FS#68945 - [at][gdm][pambase] user_readenv is deprecated

Attached to Project: Arch Linux
Opened by Geert Hendrickx (ghen) - Friday, 11 December 2020, 15:54 GMT
Last edited by David Runge (dvzrv) - Friday, 21 October 2022, 09:26 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Jan Alexander Steffens (heftig) Christian Hesse (eworm) David Runge (dvzrv) Levente Polyak (anthraxx)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	11 Geert Hendrickx (ghen) (2022-10-06) Niels Huylebroeck (Red15) (2022-10-06) Hexhu (hexhu) (2022-08-04) leuko (leuko) (2022-07-19) Iyan (iyanmv) (2022-03-08) Fabian Walther (Namru) (2022-02-09) env (ENV25) (2021-09-26) Daniel Micay (thestinger) (2021-09-08) d (hosibach) (2021-06-17) Michaël Defferrard (mdeff) (2021-01-09) Siegfried Metz (NiceGuy) (2020-12-11)
Private	No

Details

pambase installs /etc/pam.d/system-login containing the following line:

session required pam_env.so user_readenv=1

According to pam_env(8), user_readenv is deprecated for security reasons, so since upgrading to pam 1.5.0, my systemd journal is full of:

systemd[22414]: pam_env(systemd-user:session): deprecated reading of user environment enabled
lightdm[22409]: pam_env(lightdm:session): deprecated reading of user environment enabled
sshd[23040]: pam_env(sshd:session): deprecated reading of user environment enabled

I'm no expert on the matter and I don't know why this was enabled in Arch, but it's probably best to reconsider this.

This task depends upon

Closed by David Runge (dvzrv)
Friday, 21 October 2022, 09:26 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with at 3.2.5-2, gdm 43.0-1, pambase 20221020-1.

Comment by Siegfried Metz (NiceGuy) - Friday, 11 December 2020, 17:22 GMT

More instances in /etc/pam.d with user_readenv=1

Package | pam file
at : atd
gdm : gdm-launch-environment

Comment by loqs (loqs) - Friday, 11 December 2020, 21:03 GMT

See ~~FS#67519~~ for why it was added.

Comment by Daniel Micay (thestinger) - Wednesday, 08 September 2021, 21:15 GMT

Since upstream deprecated it, Arch should probably follow along with that and give a notice about it post-upgrade. Since it has the potential to break people's setups it might be worthy of a news post. Should just be moving to making sure each login method makes a login shell (display managers don't always do this) and using .zprofile / .bash_profile, etc. Also important that other things don't spuriously make another nested login shell.

Comment by Niels Huylebroeck (Red15) - Thursday, 06 October 2022, 09:22 GMT

Should severity on this issue not be raised to Critical seeing there is an exploitable vulnerability on this ?

https://nvd.nist.gov/vuln/detail/CVE-2015-8325

Comment by AK (Andreaskem) - Thursday, 06 October 2022, 11:38 GMT

As far as I can see, CVE-2015-8325 was fixed by OpenSSH a long time ago?

Comment by Geert Hendrickx (ghen) - Thursday, 06 October 2022, 12:51 GMT

But the fact remains that the Arch pambase package re-enables an insecure feature that has long been deprecated upstream.

Comment by Daniel Micay (thestinger) - Thursday, 06 October 2022, 15:37 GMT

There isn't a known vulnerability but rather the feature is considered highly insecure by design because a highly privileged process reads files controlled by unprivileged users with a fairly complex and not hardened or particularly well written parser. They don't want to support this anymore so they're taking securing it much less seriously since their solution is deprecating it. It will become a more pressing issue to remove it over time as it gets less priority from them. It does only impact privilege escalation from users doing logins and the kernel has far more vulnerabilities, but it's still an unnecessary security issue that's meant to be avoided by the fact that they disabled it by default / deprecated it.

Comment by David Runge (dvzrv) - Thursday, 20 October 2022, 09:33 GMT

For posterity, the user_readenv feature has been deprecated with 1.5.0 [1].
I have removed the setting from pambase [2] and will issue a release in [testing] today.

[1] https://github.com/linux-pam/linux-pam/blob/f69a6042da801096c94b30465c118e17c803f5c2/NEWS#L38-L39
[2] https://github.com/archlinux/svntogit-packages/commit/b9d1d5e6e62834ca97afe2023468d19d9faccad7

Comment by David Runge (dvzrv) - Thursday, 20 October 2022, 09:44 GMT

@eworm @heftig: Please remove the setting from the respective PAM files in at and gdm as well.

Comment by Christian Hesse (eworm) - Thursday, 20 October 2022, 10:05 GMT

You did not remove the option, but pam_env.so - Was that intended?

Comment by Christian Hesse (eworm) - Thursday, 20 October 2022, 10:07 GMT

Ah, missed the follow-up commit...

Comment by Christian Hesse (eworm) - Thursday, 20 October 2022, 10:09 GMT

Fixed for at in version 3.2.5-2.

Comment by Jan Alexander Steffens (heftig) - Friday, 21 October 2022, 00:03 GMT

Fixed for gdm in version 43.0-1.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#68945 - [at][gdm][pambase] user_readenv is deprecated

Details

Loading...