pam_env: deprecation notice of reading the user environment

* modules/pam_env/pam_env.8.xml: Add the notice to the manual. * modules/pam_env/pam_env.c (_pam_parse): Log deprecation warning if user_readenv is set.
author: Tomas Mraz <tmraz@fedoraproject.org> 2020-11-04 11:49:30 +0100
committer: Tomas Mraz <tmraz@fedoraproject.org> 2020-11-05 09:40:39 +0100
commit: ecd526743a27157c5210b0ce9867c43a2fa27784 (patch)
tree: 6ba98dc48eda4275945441885f368283eb56de94 /modules/pam_env
parent: 51318fd423a8ab4456a278ef0aff6ad449aab916 (diff)
2 files changed, 8 insertions, 0 deletions
diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml
index 1e455576..75ff862b 100644
--- a/modules/pam_env/pam_env.8.xml
+++ b/modules/pam_env/pam_env.8.xml
@@ -163,6 +163,11 @@
             behavior of subsequent modules in the stack without the consent
             of the system administrator.
           </para>
+          <para>
+            Due to problematic security this functionality is deprecated
+            since the 1.5.0 version and will be removed completely at some
+            point in the future.
+          </para>
         </listitem>
       </varlistentry>
 
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 4aa3777f..f5f8cead 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -120,6 +120,9 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
 	  pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
     }
 
+    if (*user_readenv)
+	pam_syslog(pamh, LOG_DEBUG, "deprecated reading of user environment enabled");
+
     return ctrl;
 }
author	Tomas Mraz <tmraz@fedoraproject.org>	2020-11-04 11:49:30 +0100
committer	Tomas Mraz <tmraz@fedoraproject.org>	2020-11-05 09:40:39 +0100
commit	ecd526743a27157c5210b0ce9867c43a2fa27784 (patch)
tree	6ba98dc48eda4275945441885f368283eb56de94 /modules/pam_env
parent	51318fd423a8ab4456a278ef0aff6ad449aab916 (diff)