[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_env.so and pam_*env() calls



On Fri, Feb 01, 2002 at 10:21:48PM +0100, Thorsten Kukuk wrote:
> is there a special reason why pam_env.so uses the pam_*env() 
> functions and not putenv() or setenv()?

It should only prepare the environment to be used for the session
being created, not by the process creating the session.  Doing
otherwise could even be a security hole if, for example, $TMPDIR is
set to a directory controlled by the target user but would take
effect for the parent sshd, login, or su as well.

> The problem is, nearly no application sets the PAM environment, so
> the PAM module is nearly useless for most situations.

I didn't notice that.  OpenSSH and SimplePAMApps' login and su do
import the environment for the new session from PAM.  We're relying on
that for pam_mktemp to work.

-- 
/sd





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []