[sudo-users] sudo promotes breaking pam_env security model.
L. A. Walsh
sudo at tlinx.org
Mon Aug 4 10:17:15 MDT 2014
In more than one place, sudo's instructions recommend re-using
the pam_env module to reset the users environment.
Unfortunately, as is documented in the pam_env documentation,
it is only designed to be called upon initial access to a system --
not called to reinit the environment on every new sub-session.
Most glaringly, variables like "REMOTEHOST" and "DISPLAY" are
ONLY available upon inital access to the system. Trying to run
pam_env after that will NOT reset those variables, because they
can only be set on initial entry to the system.
Already some vendors are following these suggestions and breaking
Various variables are tied to making remote access work. REMOTEHOST
(a convention that has existed for 15 years, though not a standard),
and DISPLAY are two of them. Others are for remote sound and
even remote 'dbus' access. These cannot be reproduced by re-running
pam_env and more than one can restore 'TERM', from a local config
file. If those variables are not preserved, remote access
breaks and tracking where someone logged in from becomes more
You don't clear 'TERM', so why clear DISPLAY? or other
remote values needed for continuity?
More information about the sudo-users