On Thu, 19 Dec 2024, Dmitry V. Levin wrote: > > We could potentially allow-list some variables, but I'd like to get > > some input from people who (for example) maintain PAM for distributions > > on what is acceptable. > > With my Linux-PAM hat on, the most essential difference between the > authenticated user code that currently gets the environment variables > listed in AcceptEnv, and the PAM modules session code that currently > doesn't get them, is that PAM modules session code is privileged, so extra > care should be taken not to forward there accidentally any environment > variables that could affect that privileged code in an unintended way. > > While XDG_SESSION_CLASS and XDG_SESSION_TYPE variables mentioned by Michal > are harmless, those LC_* variables AcceptEnv'ed in many default setups are > also likely to be OK, allowing arbitrary variables listed in AcceptEnv > could be risky given that some PAM session modules like pam_namespace and > pam_exec invoke external executables and could be affected by e.g. LD_* > variables. > > If we're aiming for flexibility without sacrificing security, then a new > sshd_config keyword (e.g. PAMSessionAcceptEnv) could be added to specify > what is allowed to be forwarded to the PAM session modules. Thanks for chiming in. How about we accept variables from a narrow allow- list (XDG_SESSION_CLASS/TYPE, LC_*) for now and see how it goes? -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev