When enabling the user_readenv option in Fedora 39 (pam-1.5.3-3.fc39.x86_64) or 40 (pam-1.6.1-3.fc40.x86_64), the module (and thus the session) fails. I've seen various error messages, the worst one was a crash: cockpit-session[1787]: pam_env(cockpit:session): deprecated reading of user environment enabled cockpit-session[1787]: segfault at 0 ip 00007f48a141901f sp 00007ffd73c0c7b0 error 4 in pam_env.so[7f48a1418000+3000] likely on CPU 0 (core 0, socket 0) but more often sshd[1199]: pam_env(sshd:session): Unrecognized Option: (null) The user_readenv option is marked as deprecated, but it should either still work, or fail more gracefully. Reproducible: Always Steps to Reproduce: as root: echo 'session required pam_env.so user_readenv=1' >> /etc/pam.d/postlogin as user: printf "SERVER_PID=1234\nFOO=bar\n" > .pam_environment then login as that user (I tried with ssh) Actual Results: The ssh login immediately closes, and the journal shows: sshd[1199]: pam_env(sshd:session): Unrecognized Option: (null) FOO=bar - ignoring line sshd[1199]: error: PAM: pam_open_session(): Critical error - immediate abort Expected Results: The ssh session succeeds, and `echo $FOO` and `echo $SERVER_PID` both show the expected value. This is the case in e.g. Debian, Ubuntu, or RHEL 9.4 with pam-1.5.1-19.el9.x86_64. Trying this with session required pam_env.so envfile=/etc/environment instead, and printf "SERVER_PID=1234\nFOO=bar\n" >> /etc/environment works fine.
According to the man page, this option is deprecated and will be removed completely due to security issues. Therefore, I don't know if it is worth fixing this as upstream may reject any fixes. It would probably be better to remove this option completely.
Yes, perhaps that's the thing that pushes it over the edge.. Dropping the option is fine for me. I just don't like PAM modules causing memory corruption.
This started to affect CentOS 10 as well. Let's just kill that option there?
> printf "SERVER_PID=1234\nFOO=bar\n" > .pam_environment Note that "man pam_env" says that .pam_environment has the same syntax as /etc/security/pam_env.conf. Thus, "SERVER_PID=1234" is strictly speaking a syntax error.
This message is a reminder that Fedora Linux 40 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '40'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 40 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Confirmed in current F42 with pam-1.7.0-4.fc42.x86_64