Upstream-Status: Backport

Fix for CVE-2010-4708

Change default for user_readenv to 0 and document the 
new default for user_readenv.

This fix is got from:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
/pam_env.c?r1=1.22&r2=1.23&view=patch
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/modules/pam_env
/pam_env.8.xml?r1=1.7&r2=1.8&view=patch

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>

---
--- a/modules/pam_env/pam_env.c	2012-09-05 13:57:47.000000000 +0800
+++ b/modules/pam_env/pam_env.c	2012-09-05 13:58:05.000000000 +0800
@@ -10,7 +10,7 @@
 #define DEFAULT_READ_ENVFILE    1
 
 #define DEFAULT_USER_ENVFILE    ".pam_environment"
-#define DEFAULT_USER_READ_ENVFILE 1
+#define DEFAULT_USER_READ_ENVFILE 0
 
 #include "config.h"
 
--- a/modules/pam_env/pam_env.8.xml	2012-09-05 13:58:24.000000000 +0800
+++ b/modules/pam_env/pam_env.8.xml	2012-09-05 13:59:36.000000000 +0800
@@ -147,7 +147,10 @@
         <listitem>
           <para>
             Turns on or off the reading of the user specific environment
-            file. 0 is off, 1 is on. By default this option is on.
+            file. 0 is off, 1 is on. By default this option is off as user
+            supplied environment variables in the PAM environment could affect
+            behavior of subsequent modules in the stack without the consent
+            of the system administrator.
           </para>
         </listitem>
       </varlistentry>