PAM_USER enviroment variable is not set when using pam_exec module

[gdemoya]

Description

Trying to integrate xrdp with a custom auth method using a script launched by the pam_exec.so module, I've found that PAM_USER enviroment variable is not set when launching a executable with pam_exec.

PAM_RHOST and PAM_RUSER enviroment variables of pam_exec.so module are not set neither.

The variables set in the script enviroment are:

*** Tue May 11 08:29:27 2021
Enviroment variables:
PAM_TTY=xrdp-sesman
PWD=/
PAM_SERVICE=xrdp-sesman
SHLVL=1
PAM_TYPE=auth
_=/usr/bin/env

Solution for PAM_USER env var

Digging a bit in the source code, I've found that the user is not being sent to the pam_start function as the documentation of pam define, a '0' is sent instead.

You can fix this issue changing the line 129 of sesman/verify_user_pam.c file:

--- error = pam_start(service_name, 0, &(auth_info->pamc), &(auth_info->ph));
+++ error = pam_start(service_name, user, &(auth_info->pamc), &(auth_info->ph));

Replicate error

1. Install any version of xrdp in any OS

2. Configure PAM

2.1 Add the following line into the file /etc/pam.d/common-auth

auth sufficient pam_exec.so log=/var/log/pam.log /usr/local/bin/print-env.sh

2.2 Create script /usr/local/bin/print-env.sh with the following content:

#!/bin/bash
#

echo "Enviroment variables:"
env

2.3 Give executable permissions to the script

chmod +x /usr/local/bin/print-env.sh

3. Login with any user with xrdp (can fail)

4. Check the enviroment variables that have been set

Resources

• http://www.linux-pam.org/Linux-PAM-html/sag-pam_exec.html

[matt335672]

Hi @gdemoya

Thanks for raising this.

I've had a look at the code, and the way it seems to be working at present is that existing pam routines are calling pam_get_user(3) to find the username. Since PAM_USER isn't set, this calls the application back via the pam_conv routine to query the username. This does mean that PAM_USER won't be available until pam_get_user() is called.

I can't see any reason for this - there's nothing in the repo history to suggest why it should be necessary, as the username is known when pam_start() is called.

As regards the other two:-

• For the casual reader, more info is available in pam_set_item(3)
• PAM_RUSER isn't in general going to be possible to set - this information isn't necessarily sent in the security exchange between the client and the server.
• PAM_RHOST will be possible, but it needs a bit of work. The remote connection info is passed from the xrdp process to the sesman process, but it's not currently in a useful state.

What's your actual requirement at this point? is getting PAM_USER set adequate for you? If so we can do that relatively quickly and then turn this issue into a feature request to set PAM_RHOST.

[gdemoya]

Hi @matt335672

Thank you for your response.

I agree that there doesn't seem to be any reason why the user is not being sent to the pam_start function, even the verify_user_pam_userpass.c library keeps invoking it with the user.

Regarding your question, yes, I only need the PAM_USER variable, so we can proceed as you say 😄