Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#68945 - [pambase] user_readenv is deprecated

Attached to Project: Arch Linux
Opened by Geert Hendrickx (ghen) - Friday, 11 December 2020, 15:54 GMT
Last edited by David Runge (dvzrv) - Sunday, 07 February 2021, 17:05 GMT
Task Type Bug Report
Category Packages: Core
Status Assigned
Assigned To David Runge (dvzrv)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 9
Private No


pambase installs /etc/pam.d/system-login containing the following line:

session required user_readenv=1

According to pam_env(8), user_readenv is deprecated for security reasons, so since upgrading to pam 1.5.0, my systemd journal is full of:

systemd[22414]: pam_env(systemd-user:session): deprecated reading of user environment enabled
lightdm[22409]: pam_env(lightdm:session): deprecated reading of user environment enabled
sshd[23040]: pam_env(sshd:session): deprecated reading of user environment enabled

I'm no expert on the matter and I don't know why this was enabled in Arch, but it's probably best to reconsider this.
This task depends upon

Comment by Siegfried Metz (NiceGuy) - Friday, 11 December 2020, 17:22 GMT
More instances in /etc/pam.d with user_readenv=1

Package | pam file
at : atd
gdm : gdm-launch-environment
Comment by loqs (loqs) - Friday, 11 December 2020, 21:03 GMT
See  FS#67519  for why it was added.
Comment by Daniel Micay (thestinger) - Wednesday, 08 September 2021, 21:15 GMT
Since upstream deprecated it, Arch should probably follow along with that and give a notice about it post-upgrade. Since it has the potential to break people's setups it might be worthy of a news post. Should just be moving to making sure each login method makes a login shell (display managers don't always do this) and using .zprofile / .bash_profile, etc. Also important that other things don't spuriously make another nested login shell.