FS#68945 - [at][gdm][pambase] user_readenv is deprecated

Attached to Project: Arch Linux
Opened by Geert Hendrickx (ghen) - Friday, 11 December 2020, 15:54 GMT
Last edited by David Runge (dvzrv) - Friday, 21 October 2022, 09:26 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Christian Hesse (eworm)
David Runge (dvzrv)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 11
Private No


pambase installs /etc/pam.d/system-login containing the following line:

session required pam_env.so user_readenv=1

According to pam_env(8), user_readenv is deprecated for security reasons, so since upgrading to pam 1.5.0, my systemd journal is full of:

systemd[22414]: pam_env(systemd-user:session): deprecated reading of user environment enabled
lightdm[22409]: pam_env(lightdm:session): deprecated reading of user environment enabled
sshd[23040]: pam_env(sshd:session): deprecated reading of user environment enabled

I'm no expert on the matter and I don't know why this was enabled in Arch, but it's probably best to reconsider this.
This task depends upon

Closed by  David Runge (dvzrv)
Friday, 21 October 2022, 09:26 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with at 3.2.5-2, gdm 43.0-1, pambase 20221020-1.
Comment by Siegfried Metz (NiceGuy) - Friday, 11 December 2020, 17:22 GMT
More instances in /etc/pam.d with user_readenv=1

Package | pam file
at : atd
gdm : gdm-launch-environment
Comment by loqs (loqs) - Friday, 11 December 2020, 21:03 GMT
See  FS#67519  for why it was added.
Comment by Daniel Micay (thestinger) - Wednesday, 08 September 2021, 21:15 GMT
Since upstream deprecated it, Arch should probably follow along with that and give a notice about it post-upgrade. Since it has the potential to break people's setups it might be worthy of a news post. Should just be moving to making sure each login method makes a login shell (display managers don't always do this) and using .zprofile / .bash_profile, etc. Also important that other things don't spuriously make another nested login shell.
Comment by Niels Huylebroeck (Red15) - Thursday, 06 October 2022, 09:22 GMT
Should severity on this issue not be raised to Critical seeing there is an exploitable vulnerability on this ?

Comment by AK (Andreaskem) - Thursday, 06 October 2022, 11:38 GMT
As far as I can see, CVE-2015-8325 was fixed by OpenSSH a long time ago?
Comment by Geert Hendrickx (ghen) - Thursday, 06 October 2022, 12:51 GMT
But the fact remains that the Arch pambase package re-enables an insecure feature that has long been deprecated upstream.
Comment by Daniel Micay (thestinger) - Thursday, 06 October 2022, 15:37 GMT
There isn't a known vulnerability but rather the feature is considered highly insecure by design because a highly privileged process reads files controlled by unprivileged users with a fairly complex and not hardened or particularly well written parser. They don't want to support this anymore so they're taking securing it much less seriously since their solution is deprecating it. It will become a more pressing issue to remove it over time as it gets less priority from them. It does only impact privilege escalation from users doing logins and the kernel has far more vulnerabilities, but it's still an unnecessary security issue that's meant to be avoided by the fact that they disabled it by default / deprecated it.
Comment by David Runge (dvzrv) - Thursday, 20 October 2022, 09:33 GMT
For posterity, the user_readenv feature has been deprecated with 1.5.0 [1].
I have removed the setting from pambase [2] and will issue a release in [testing] today.

[1] https://github.com/linux-pam/linux-pam/blob/f69a6042da801096c94b30465c118e17c803f5c2/NEWS#L38-L39
[2] https://github.com/archlinux/svntogit-packages/commit/b9d1d5e6e62834ca97afe2023468d19d9faccad7
Comment by David Runge (dvzrv) - Thursday, 20 October 2022, 09:44 GMT
@eworm @heftig: Please remove the setting from the respective PAM files in at and gdm as well.
Comment by Christian Hesse (eworm) - Thursday, 20 October 2022, 10:05 GMT
You did not remove the option, but pam_env.so - Was that intended?
Comment by Christian Hesse (eworm) - Thursday, 20 October 2022, 10:07 GMT
Ah, missed the follow-up commit...
Comment by Christian Hesse (eworm) - Thursday, 20 October 2022, 10:09 GMT
Fixed for at in version 3.2.5-2.
Comment by Jan Alexander Steffens (heftig) - Friday, 21 October 2022, 00:03 GMT
Fixed for gdm in version 43.0-1.