|
Bugzilla – Full Text Bug Listing |
| Summary: | Spurious pam_systemd(sudi:session) message about non-existing environment entry XDG_RUNTIME_DIR | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 13.1 | Reporter: | Claude Diderich <claude.diderich> |
| Component: | Security | Assignee: | systemd maintainers <systemd-maintainers> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Minor | ||
| Priority: | P5 - None | CC: | auxsvr, martin.jedamzik, meissner, pwieczorkiewicz, thomas.blume, werner |
| Version: | Final | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | openSUSE 13.1 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | sudo -V | ||
-> systemd bug This problem is introduced with a patch 1012-pam_systemd_do_override_XDG_RUNTIME_DIR_of_the_original_user.patch
I think best would be to add a check for both env and pam_env to check with getenv() and pam_getenv() whether variable XDG_RUNTIME_DIR is not empty and then remove.
I mean in the following part of the patch:
+ } else {
+ (void) unsetenv("XDG_RUNTIME_DIR");
+ r = pam_putenv(handle, "XDG_RUNTIME_DIR");
+ if (r != PAM_SUCCESS && r != PAM_BAD_ITEM) {
+ pam_syslog(handle, LOG_ERR, "Failed to unset runtime dir.");
+ }
Upstream is a bit different in this regard and does not contain the above.
The problem is if XDG_RUNTIME_DIR is set then the upstream code does exactly nothing which leads to the fact that if xdg-su is called for e.g. pulseaudio then there will be a root owned directory below $XDG_RUNTIME_DIR which is the user and not root. If only pam_putenv() is used to remove the XDG_RUNTIME_DIR variable nothing happens and this is the reason *why* I have added unsetenv() to make sure that root does *never* use the users $XDG_RUNTIME_DIR To be consistent with the requirement Werner Finks describes and to avoid the error message, shouldn't the code be ammended as follows?
- (void) unsetenv("XDG_RUNTIME_DIR");
+ if(getenv("XDG_RUNTIME_DIR") != NULL) {
+ (void) unsetenv("XDG_RUNTIME_DIR");
+ }
(In reply to comment #4) > To be consistent with the requirement Werner Finks describes and to avoid the > error message, shouldn't the code be ammended as follows? > > - (void) unsetenv("XDG_RUNTIME_DIR"); > > + if(getenv("XDG_RUNTIME_DIR") != NULL) { > + (void) unsetenv("XDG_RUNTIME_DIR"); > + } Yea, this is basically what I wrote, but since warning comes from pam_putenv(), it should be also covered with a similar check. openSUSE-RU-2015:0823-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 855160,922536 CVE References: Sources used: openSUSE 13.1 (src): systemd-208-35.1, systemd-mini-208-35.1, systemd-rpm-macros-2-35.1 closing as fixed |
Created attachment 571563 [details] sudo -V User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0 When executing the command 'sudo zypper ps' or any other command related to sudo and su, the following message is logged through syslog: [date] [hostname] sudo: pam_systemd(sudo:session): pam_putenv: delete non-existing entry; XDG_RUNTIME_DIR The command is executed correctly. Reproducible: Always Steps to Reproduce: 1. sudo zypper ps 2. 3. Actual Results: Message [date] [hostname] sudo: pam_systemd(sudo:session): pam_putenv: delete non-existing entry; XDG_RUNTIME_DIR is logged to syslog Expected Results: No message is logged to syslog Kernel: Linux 3.11.6-4-default #1 SMP