From ecd526743a27157c5210b0ce9867c43a2fa27784 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 4 Nov 2020 11:49:30 +0100 Subject: pam_env: deprecation notice of reading the user environment * modules/pam_env/pam_env.8.xml: Add the notice to the manual. * modules/pam_env/pam_env.c (_pam_parse): Log deprecation warning if user_readenv is set. --- NEWS | 2 ++ modules/pam_env/pam_env.8.xml | 5 +++++ modules/pam_env/pam_env.c | 3 +++ 3 files changed, 10 insertions(+) diff --git a/NEWS b/NEWS index 212419ad..d0f583e4 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,8 @@ Release 1.5.0 * Removed deprecated pam_cracklib module, use pam_passwdqc (from passwdqc project) or pam_pwquality (from libpwquality project) instead. * Removed deprecated pam_tally and pam_tally2 modules, use pam_faillock instead. +* pam_env: Reading of the user environment is deprecated and will be removed + at some point in the future. Release 1.4.0 * Multiple minor bug fixes and documentation improvements diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index 1e455576..75ff862b 100644 --- a/modules/pam_env/pam_env.8.xml +++ b/modules/pam_env/pam_env.8.xml @@ -163,6 +163,11 @@ behavior of subsequent modules in the stack without the consent of the system administrator. + + Due to problematic security this functionality is deprecated + since the 1.5.0 version and will be removed completely at some + point in the future. + diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index 4aa3777f..f5f8cead 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -120,6 +120,9 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } + if (*user_readenv) + pam_syslog(pamh, LOG_DEBUG, "deprecated reading of user environment enabled"); + return ctrl; } -- cgit v1.2.3