554518 – pam_exec doesn't export environment variables

Bug 554518 - pam_exec doesn't export environment variables

Summary: pam_exec doesn't export environment variables

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	5.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Dalibor Pospíšil
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	826797 (view as bug list)
Depends On:
Blocks:	826797
TreeView+	depends on / blocked

Reported:	2010-01-11 21:26 UTC by Stefano Grioni
Modified:	2018-11-30 23:00 UTC (History)
CC List:	9 users (show)
Fixed In Version:	pam-0.99.6.2-12.el5
Doc Type:	Enhancement
Doc Text:	This enhancement adds support for exporting environment variables from the PAM environment and in addition to that also environment variables containing common PAM item values to the script that is executed by the pam_exec module.
Clone Of:
Environment:
Last Closed:	2013-01-08 07:15:26 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
proposed patch (2.75 KB, patch) 2011-04-05 09:28 UTC, ritz	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	132653	0	None	None	None	Never
Red Hat Product Errata	RHBA-2013:0032	0	normal	SHIPPED_LIVE	pam bug fix and enhancement update	2013-01-07 15:28:39 UTC

Description Stefano Grioni 2010-01-11 21:26:17 UTC

Description of problem:
When pam_exec launches an executable, it doesn't export the environment variables (PAM_USER, PAM_HOST,...).

Version-Release number of selected component (if applicable):
0.99.6.2-6.el5

How reproducible:
Define a rule involving pam_exec.so


Steps to Reproduce: 
Define a rule like (for instance in /etc/pam.d/sshd):
auth optional pam_exec.so debug /bin/script

Where script is executable and contains the following :

#!/bin/bash

env > /tmp/pam.log

then perform the action corresponding to the file you wrote the rule into (for instance, create a SSH session) and go check the content of /tmp/pam.log.

Actual results:

BASH=/bin/bash
BASH_ARGC=()
BASH_ARGV=()
BASH_LINENO=([0]="0")
BASH_SOURCE=([0]="/bin/script")
BASH_VERSINFO=([0]="3" [1]="2" [2]="25" [3]="1" [4]="release" [5]="x86_64-redhat-linux-gnu")
BASH_VERSION='3.2.25(1)-release'
DIRSTACK=()
EUID=0
GROUPS=()
HOSTNAME=server.test.ch
HOSTTYPE=x86_64
IFS=$' \t\n'
LANG=en_US.UTF-8
MACHTYPE=x86_64-redhat-linux-gnu
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PIPESTATUS=([0]="1")
PPID=23723
PS4='+ '
PWD=/
SHELL=/bin/bash
SHELLOPTS=braceexpand:hashall:interactive-comments
SHLVL=2
TERM=xterm
UID=0
_=/usr/sbin/sshd

Expected results:
PAM_USER and other env. variables should be defined and not empty

Comment 3 RHEL Program Management 2010-08-09 18:12:36 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 4 RHEL Program Management 2011-01-11 20:02:48 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 5 RHEL Program Management 2011-01-11 23:19:51 UTC

This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.

Comment 8 ritz 2011-04-05 09:28:45 UTC

Created attachment 489945 [details]
proposed patch

Comment 17 Petr Ruzicka 2011-06-01 12:35:44 UTC

Hello.

I can confirm this patch is really fixing the issue.

Can this patch be included in next RHEL version?

Regards

PetrR

Comment 19 RHEL Program Management 2011-09-23 00:07:50 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 22 jschilen 2012-01-06 16:33:12 UTC

Where can I find this patch? I need this functionality.

Thanks,

Jeremiah

(In reply to comment #17)
> Hello.
> 
> I can confirm this patch is really fixing the issue.
> 
> Can this patch be included in next RHEL version?
> 
> Regards
> 
> PetrR

Comment 23 Tomas Mraz 2012-01-06 16:44:51 UTC

(In reply to comment #22)
> Where can I find this patch? I need this functionality.

The patch is now publicly available and attached to this bug.

Comment 27 Jake Kodak 2012-05-25 20:40:17 UTC

Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. This request will be considered in a future release of Red Hat Enterprise Linux.

Comment 28 Tomas Mraz 2012-05-31 14:27:10 UTC

Comment on attachment 489945 [details]
proposed patch

The patch is missing the support for PAM_TYPE to be on parity with RHEL-6.

Comment 29 Ryan Sawhill 2012-06-01 14:42:32 UTC

*** Bug 826797 has been marked as a duplicate of this bug. ***

Comment 33 Tomas Mraz 2012-06-12 07:01:54 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
This enhancement adds support for exporting environment variables from the PAM environment and in addition to that also environment variables containing common PAM item values to the script that is executed by the pam_exec module.

Comment 42 Dalibor Pospíšil 2012-08-02 08:52:40 UTC

It seems that the quiet option does not work as expected.

Scenario:
session   required   pam_exec.so /bin/false
su -l -c pwd test

session   required   pam_exec.so quiet /bin/false
su -l -c pwd test

I see the same for both variants in /var/log/secure:
Aug  2 08:46:30 dhcp-25-23 su: pam_unix(su-l:session): session opened for user test by (uid=0)
Aug  2 08:46:30 dhcp-25-23 su: pam_exec(su-l:session): /bin/false failed: exit code 1

Comment 43 Tomas Mraz 2012-08-06 09:53:15 UTC

No, the quiet option does not affect the syslog messages, it affects the output that is echoed during the login to the user.

Comment 46 errata-xmlrpc 2013-01-08 07:15:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0032.html

Note You need to log in before you can comment on or make changes to this bug.