summaryrefslogtreecommitdiff
path: root/modules/pam_env
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2015-03-25 14:49:46 +0100
committerThorsten Kukuk <kukuk@thkukuk.de>2015-03-25 14:49:46 +0100
commit73bdfac8c091492f466342feb8f2f5daa2f4c39b (patch)
treef47dabe5c93ecd4b9aafef62d7931699424815df /modules/pam_env
parent7b39983f3a7b5e7522f1672e49dcbfe579f0228f (diff)
pam_env: expand @{HOME} and @{SHELL} and enhance documentation
(Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation
Diffstat (limited to 'modules/pam_env')
-rw-r--r--modules/pam_env/pam_env.8.xml39
-rw-r--r--modules/pam_env/pam_env.c15
-rw-r--r--modules/pam_env/pam_env.conf.5.xml11
3 files changed, 46 insertions, 19 deletions
diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml
index 309643fd..6eac6c8d 100644
--- a/modules/pam_env/pam_env.8.xml
+++ b/modules/pam_env/pam_env.8.xml
@@ -53,17 +53,23 @@
<emphasis>PAM_RHOST</emphasis>.
</para>
<para>
- By default rules for (un)setting of variables is taken from the
- config file <filename>/etc/security/pam_env.conf</filename> if
- no other file is specified.
+ By default rules for (un)setting of variables are taken from the
+ config file <filename>/etc/security/pam_env.conf</filename>. An
+ alternate file can be specified with the <emphasis>conffile</emphasis>
+ option.
</para>
<para>
- This module can also parse a file with simple
- <emphasis>KEY=VAL</emphasis> pairs on separate lines
- (<filename>/etc/environment</filename> by default). You can
- change the default file to parse, with the <emphasis>envfile</emphasis>
- flag and turn it on or off by setting the <emphasis>readenv</emphasis>
- flag to 1 or 0 respectively.
+ Second a file (<filename>/etc/environment</filename> by default) with simple
+ <emphasis>KEY=VAL</emphasis> pairs on separate lines will be read.
+ With the <emphasis>envfile</emphasis> option an alternate file can be specified.
+ And with the <emphasis>readenv</emphasis> option this can be completly disabled.
+ </para>
+ <para>
+ Third it will read a user configuration file
+ (<filename>$HOME/.pam_environment</filename> by default).
+ The default file file can be changed with the
+ <emphasis>user_envfile</emphasis> option
+ and it can be turned on and off with the <emphasis>user_readenv</emphasis> option.
</para>
<para>
Since setting of PAM environment variables can have side effects
@@ -107,8 +113,11 @@
<listitem>
<para>
Indicate an alternative <filename>environment</filename>
- file to override the default. This can be useful when different
- services need different environments.
+ file to override the default. The syntax are simple
+ <emphasis>KEY=VAL</emphasis> pairs on separate lines. The
+ <emphasis>export</emphasis> instruction can be specified for bash
+ compatibility, but will be ignored.
+ This can be useful when different services need different environments.
</para>
</listitem>
</varlistentry>
@@ -133,9 +142,11 @@
<listitem>
<para>
Indicate an alternative <filename>.pam_environment</filename>
- file to override the default. This can be useful when different
- services need different environments. The filename is relative to
- the user home directory.
+ file to override the default.The syntax is the same as
+ for <emphasis>/etc/environment</emphasis>.
+ The filename is relative to the user home directory.
+ This can be useful when different services need different
+ environments.
</para>
</listitem>
</varlistentry>
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index e04f5b53..1bfdf089 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -676,7 +676,7 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name)
const void *itemval;
D(("Called."));
- if (strcmp(name, "PAM_USER") == 0) {
+ if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) {
item = PAM_USER;
} else if (strcmp(name, "PAM_USER_PROMPT") == 0) {
item = PAM_USER_PROMPT;
@@ -696,6 +696,19 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name)
D(("pam_get_item failed"));
return NULL; /* let pam_get_item() log the error */
}
+
+ if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) {
+ struct passwd *user_entry;
+ user_entry = pam_modutil_getpwnam (pamh, (char *) itemval);
+ if (!user_entry) {
+ pam_syslog(pamh, LOG_ERR, "No such user!?");
+ return NULL;
+ }
+ return (strcmp(name, "SHELL") == 0) ?
+ user_entry->pw_shell :
+ user_entry->pw_dir;
+ }
+
D(("Exit."));
return itemval;
}
diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml
index 45950b8c..4040275a 100644
--- a/modules/pam_env/pam_env.conf.5.xml
+++ b/modules/pam_env/pam_env.conf.5.xml
@@ -43,14 +43,16 @@
<para>
(Possibly non-existent) environment variables may be used in values
- using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
- be used in values using the @{string} syntax. Both the $ and @
- characters can be backslash escaped to be used as literal values
+ using the ${string} syntax and (possibly non-existent) PAM_ITEMs as well
+ as HOME and SHELL may be used in values using the @{string} syntax. Both
+ the $ and @ characters can be backslash escaped to be used as literal values
values can be delimited with "", escaped " not supported.
Note that many environment variables that you would like to use
may not be set by the time the module is called.
- For example, HOME is used below several times, but
+ For example, ${HOME} is used below several times, but
many PAM applications don't make it available by the time you need it.
+ The special variables @{HOME} and @{SHELL} are expanded to the values
+ for the user from his <emphasis>passwd</emphasis> entry.
</para>
<para>
@@ -92,6 +94,7 @@
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
+ XDG_DATA_HOME @{HOME}/share/
</programlisting>
<para>