Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 24523

Summary: su unable to propagate environment variables set by pam session when executing default shell
Product: Gentoo Linux Reporter: Ho Ming Shun <cyph>
Component: [OLD] Core systemAssignee: PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled>
Status: RESOLVED WORKSFORME    
Severity: minor CC: carenas, e.liubarskij, linuxlah, lisa, mike, mmacleod, ryan, swift
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 14560    

Description Ho Ming Shun 2003-07-15 07:52:58 UTC 
When su from an xterm to another user, pam_xauth is supposed to set XAUTHORITY.
However, this variable doesnt get propagated to the shell if su is simply
executing the default shell.

Reproducible: Always
Steps to Reproduce:
1. Open an xterm, with pam_xauth enabled.
2. su 
3. env

Actual Results:  
(no XAUTHORITY)

Expected Results:  
/root/.xauthxxxx

However, all is fine when you do a su -c 'bash'

I've found the problem: when you do a simple su without additional options,
shadow-4.0.3/libmisc/shell.c handles it. Otherwise, if options are specified to
be passed to the shell, shadow-4.0.3/src/su.c:762 is used.


The problem lies in shadow-4.0.3/libmisc/shell.c using char **newenvp as the
environment, instead of char **environ, which is being updated with variables
from pam_open_session at shadow-4.0.3/src/su.c:689.


A simple patch like this will solve the problem, but I am not sure if it is the
cleanest solution:

--- shadow-4.0.3/libmisc/shell.c.old	2003-07-15 21:56:05.000000000 +0800
+++ shadow-4.0.3/libmisc/shell.c	2003-07-15 22:04:54.000000000 +0800
@@ -39,6 +39,7 @@
 
 
 extern char **newenvp;
+extern char **environ;
 extern size_t newenvc;
 
 /*
@@ -84,7 +85,7 @@
 	 * grief.
 	 */
 
-	execle (file, arg, (char *) 0, newenvp);
+	execle (file, arg, (char *) 0, environ);
 	err = errno;
 
 	/* Linux handles #! in the kernel, and bash doesn't make
Comment 1 Lisa Seelye (RETIRED) gentoo-dev 2003-07-15 14:21:07 UTC 
Have you sent this patch upstream for consideration ?
Comment 2 Ho Ming Shun 2003-07-15 16:24:05 UTC 
No. Effects only become significant when shadow-4.0.3-su-pam_open_session.patch-v2 is applied. Otherwise only the setting of a safe IFS is non-functional. I would send a patch their way.

The current fix is a quick hack to get my X applications working in su'ed terminals. :>
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-03-15 12:01:00 UTC 
any news on this?
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-08-12 01:19:00 UTC 
we need to get this in the tree.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2004-09-09 04:59:43 UTC 
Is it difficult to propagate this in the tree? Or is there a cleaner solution coming up?
Comment 6 Martin Schlemmer (RETIRED) gentoo-dev 2005-02-13 08:32:45 UTC 
Have anybody tried with shadow-4.0.7 ?  From here it looks like XAUTHORITY at
least is updated properly.
Comment 7 Mohd. Jeffry 2005-05-24 23:24:00 UTC 
I've just installed gentoo stage3 using 2005.0 install cd. I think the problem
is still there. When I did a "su - someuser -c somecommand", it fail to use what
ever I've put in the "someuser" .bashrc or .bash_profile. 

I've describe the problem to my local gentoo group
http://groups.yahoo.com/group/mygentoo/message/569
Comment 8 Martin Schlemmer (RETIRED) gentoo-dev 2005-07-05 12:50:14 UTC 
Nobody still have come back to my request to test with shadow-4.0.7-r<latest>
(also would be nice to check it with pam-0.78-r2).
Comment 9 Carlo Marcelo Arenas Belon 2005-08-28 16:21:34 UTC 
not sure what xterm with pam enabled meant (as my xterm doesn't link to pam and
i wouldn't expect it to)

but trying to replicate the problem using pam-0.78-r2 (2005.0/2005.1) failed as
shown below :

carenas@laptop ~ $ su - -c 'set | grep [X]AUTHORITY'
Password: 
XAUTHORITY=/root/.xauthZFzHAV

carenas@laptop ~ $ su - -c 'bash -c "set | grep [X]AUTHORITY"'
Password: 
XAUTHORITY=/root/.xauthw8UMrG

carenas@laptop ~ $ su -
Password: 
laptop ~ # set | grep [X]AUTHORITY
XAUTHORITY=/root/.xauthNzzO1q
Comment 10 Ernestas Liubarskij 2006-02-05 03:50:05 UTC 
It works well with pam-0.78-r4 and shadow-4.0.14-r1:

martian@UFO ~ $ su -
Password:
UFO ~ # env|grep AUTH
XAUTHORITY=/root/.xauthfsNQtH
UFO ~ # emerge -pv pam shadow|grep -e pam -e shadow
[ebuild   R   ] sys-libs/pam-0.78-r4  USE="berkdb -nis -pam_chroot -pam_console -pam_timestamp -pwdb" 0 kB
[ebuild   R   ] sys-apps/shadow-4.0.14-r1  USE="nls pam -nousuid -skey" 0 kB

And when downgraded to pam-0.78-r4 and shadow 4.0.14-r1 I can't reproduce that bug again:

martian@UFO ~ $ su -
Password:
UFO ~ # env|grep AUTH
XAUTHORITY=/root/.xauthAzxh7A
UFO ~ # emerge -pv pam shadow|grep -e pam -e shadow
[ebuild     U ] sys-libs/pam-0.78-r4 [0.78-r2] USE="berkdb -nis -pam_chroot -pam_console -pam_timestamp -pwdb" 0 kB
[ebuild     U ] sys-apps/shadow-4.0.14-r1 [4.0.7-r4] USE="nls pam -nousuid -skey" 0 kB

So everything is working well here.
Comment 11 Ernestas Liubarskij 2006-02-05 03:53:27 UTC 
Sorry, made a little mistake:
"And when downgraded to pam-0.78-r4 and shadow 4.0.14-r1 I can't reproduce that
bug again:" should be "And when downgraded to pam-0.78-r2 and shadow 4.0.7-r4 I can't reproduce that bug again:"
Comment 12 Ernestas Liubarskij 2006-03-04 07:56:45 UTC 
shadow-4.0.3 isn't in portage anymore, and all available versions (both stable and unstable) are working fine.
Comment 13 Ernestas Liubarskij 2006-04-21 06:36:18 UTC 
Can anyone still reproduce this bug?
Comment 14 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-21 08:24:15 UTC 
*** Bug 14560 has been marked as a duplicate of this bug. ***
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-21 08:25:48 UTC 
Seems like this either fixed itself or anyway it's worked around, closing until proven wrong.