pam_env.so [
debug
] [
conffile=conf-file
] [
envfile=env-file
] [
readenv=0|1
] [
user_envfile=env-file
] [
user_readenv=0|1
]
The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST.
Rules for (un)setting of variables can be defined in an own config
file. The path to this file can be specified with the
conffile option.
If this file does not exist, the default rules are taken from the
config files /etc/security/pam_env.conf and
/etc/security/pam_env.conf.d/*.conf.
If the file /etc/security/pam_env.conf does not
exist, the rules are taken from the files
%vendordir%/security/pam_env.conf,
%vendordir%/security/pam_env.conf.d/*.conf and
/etc/security/pam_env.conf.d/*.conf in that order.
By default rules for (un)setting of variables are taken from the
config file /etc/security/pam_env.conf.
If this file does not exist %vendordir%/security/pam_env.conf is used.
An alternate file can be specified with the conffile
option, which overrules all other files.
By default rules for (un)setting of variables are taken from the
config file /etc/security/pam_env.conf. An
alternate file can be specified with the conffile
option.
Environment variables can be defined in a file with simple KEY=VAL
pairs on separate lines. The path to this file can be specified with the
envfile option.
If this file has not been defined, the settings are read from the
files /etc/security/environment and
/etc/security/environment.d/*.
If the file /etc/environment does not exist, the
settings are read from the files %vendordir%/environment,
%vendordir%/environment.d/* and
/etc/environment.d/* in that order.
And last but not least, with the readenv option this mechanism can
be completely disabled.
Second a file (/etc/environment by default) with simple
KEY=VAL pairs on separate lines will be read.
If this file does not exist, %vendordir%/etc/environment is used.
With the envfile option an alternate file can be specified,
which overrules all other files.
And with the readenv option this can be completely disabled.
Second a file (/etc/environment by default) with simple
KEY=VAL pairs on separate lines will be read.
With the envfile option an alternate file can be specified.
And with the readenv option this can be completely disabled.
Third it will read a user configuration file
($HOME/.pam_environment by default).
The default file can be changed with the
user_envfile option
and it can be turned on and off with the user_readenv option.
Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.
This module is only executed if the main application calls pam_setcred(3) or pam_open_session(3). The module does nothing and returns PAM_IGNORE if called by pam_authenticate(3).
The %vendordir%/security/pam_env.conf and
/etc/security/pam_env.conf files specify
the environment variables to be set, unset or modified by
pam_env(8).
When someone logs in, these files are read and the environment
variables are set according.
The /etc/security/pam_env.conf file specifies
the environment variables to be set, unset or modified by
pam_env(8).
When someone logs in, this file is read and the environment
variables are set according.
Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE. DEFAULT allows an administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use. When OVERRIDE is not used, "" is assumed and no override will be done.
VARIABLE
[DEFAULT=[value]]
[OVERRIDE=[value]]
(Possibly non-existent) environment variables may be used in values using the ${string} syntax and (possibly non-existent) PAM_ITEMs as well as HOME and SHELL may be used in values using the @{string} syntax. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many environment variables that you would like to use may not be set by the time the module is called. For example, ${HOME} is used below several times, but many PAM applications don't make it available by the time you need it. The special variables @{HOME} and @{SHELL} are expanded to the values for the user from the corresponding passwd entry.
The "#" character at start of line (no space at front) can be used to mark this line as a comment line.
The %vendordir%/environment and /etc/environment files specify
the environment variables to be set. These files must consist of simple
NAME=VALUE pairs on separate lines.
The pam_env(8)
module will read these files after the pam_env.conf
file.
The /etc/environment file specifies
the environment variables to be set. The file must consist of simple
NAME=VALUE pairs on separate lines.
The pam_env(8)
module will read the file after the pam_env.conf
file.
Indicate an alternative pam_env.conf
style configuration file to override the default. This can
be useful when different services need different environments.
A lot of debug information is printed with syslog(3).
Indicate an alternative environment
file to override the default. The syntax are simple
KEY=VAL pairs on separate lines. The
export instruction can be specified for bash
compatibility, but will be ignored.
This can be useful when different services need different environments.
Turns on or off the reading of the file specified by envfile (0 is off, 1 is on). By default this option is on.
Indicate an alternative .pam_environment
file to override the default. The syntax is the same as
for /etc/security/pam_env.conf.
The filename is relative to the user home directory.
This can be useful when different services need different
environments.
Turns on or off the reading of the user specific environment file. 0 is off, 1 is on. By default this option is off as user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator.
Due to problematic security this functionality is deprecated since the 1.5.0 version and will be removed completely at some point in the future.
Not all relevant data or options could be gotten.
Memory buffer error.
No pam_env.conf and environment file was found or the module got called by pam_authenticate(3).
Environment variables were set.
Default configuration file
Default environment file
User specific environment file
These are some example lines which might be specified in
/etc/security/pam_env.conf.
Set the REMOTEHOST variable for any hosts that are remote, default to "localhost" rather than not being set at all
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
Set the DISPLAY variable if it seems reasonable
DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
Now some simple variables
PAGER DEFAULT=less
MANPAGER DEFAULT=less
LESS DEFAULT="M q e h15 z23 b80"
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
XDG_DATA_HOME DEFAULT=@{HOME}/share/
Silly examples of escaped variables, just to show how they work.
DOLLAR DEFAULT=\$
DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
ATSIGN DEFAULT="" OVERRIDE=\@