From 73bdfac8c091492f466342feb8f2f5daa2f4c39b Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 25 Mar 2015 14:49:46 +0100 Subject: pam_env: expand @{HOME} and @{SHELL} and enhance documentation (Ticket#24 and #29) * modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries * modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL} * modules/pam_env/pam_env.8.xml: Enhance documentation --- modules/pam_env/pam_env.8.xml | 39 ++++++++++++++++++++++++-------------- modules/pam_env/pam_env.c | 15 ++++++++++++++- modules/pam_env/pam_env.conf.5.xml | 11 +++++++---- 3 files changed, 46 insertions(+), 19 deletions(-) diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index 309643fd..6eac6c8d 100644 --- a/modules/pam_env/pam_env.8.xml +++ b/modules/pam_env/pam_env.8.xml @@ -53,17 +53,23 @@ PAM_RHOST. - By default rules for (un)setting of variables is taken from the - config file /etc/security/pam_env.conf if - no other file is specified. + By default rules for (un)setting of variables are taken from the + config file /etc/security/pam_env.conf. An + alternate file can be specified with the conffile + option. - This module can also parse a file with simple - KEY=VAL pairs on separate lines - (/etc/environment by default). You can - change the default file to parse, with the envfile - flag and turn it on or off by setting the readenv - flag to 1 or 0 respectively. + Second a file (/etc/environment by default) with simple + KEY=VAL pairs on separate lines will be read. + With the envfile option an alternate file can be specified. + And with the readenv option this can be completly disabled. + + + Third it will read a user configuration file + ($HOME/.pam_environment by default). + The default file file can be changed with the + user_envfile option + and it can be turned on and off with the user_readenv option. Since setting of PAM environment variables can have side effects @@ -107,8 +113,11 @@ Indicate an alternative environment - file to override the default. This can be useful when different - services need different environments. + file to override the default. The syntax are simple + KEY=VAL pairs on separate lines. The + export instruction can be specified for bash + compatibility, but will be ignored. + This can be useful when different services need different environments. @@ -133,9 +142,11 @@ Indicate an alternative .pam_environment - file to override the default. This can be useful when different - services need different environments. The filename is relative to - the user home directory. + file to override the default.The syntax is the same as + for /etc/environment. + The filename is relative to the user home directory. + This can be useful when different services need different + environments. diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index e04f5b53..1bfdf089 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -676,7 +676,7 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) const void *itemval; D(("Called.")); - if (strcmp(name, "PAM_USER") == 0) { + if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) { item = PAM_USER; } else if (strcmp(name, "PAM_USER_PROMPT") == 0) { item = PAM_USER_PROMPT; @@ -696,6 +696,19 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name) D(("pam_get_item failed")); return NULL; /* let pam_get_item() log the error */ } + + if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) { + struct passwd *user_entry; + user_entry = pam_modutil_getpwnam (pamh, (char *) itemval); + if (!user_entry) { + pam_syslog(pamh, LOG_ERR, "No such user!?"); + return NULL; + } + return (strcmp(name, "SHELL") == 0) ? + user_entry->pw_shell : + user_entry->pw_dir; + } + D(("Exit.")); return itemval; } diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml index 45950b8c..4040275a 100644 --- a/modules/pam_env/pam_env.conf.5.xml +++ b/modules/pam_env/pam_env.conf.5.xml @@ -43,14 +43,16 @@ (Possibly non-existent) environment variables may be used in values - using the ${string} syntax and (possibly non-existent) PAM_ITEMs may - be used in values using the @{string} syntax. Both the $ and @ - characters can be backslash escaped to be used as literal values + using the ${string} syntax and (possibly non-existent) PAM_ITEMs as well + as HOME and SHELL may be used in values using the @{string} syntax. Both + the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many environment variables that you would like to use may not be set by the time the module is called. - For example, HOME is used below several times, but + For example, ${HOME} is used below several times, but many PAM applications don't make it available by the time you need it. + The special variables @{HOME} and @{SHELL} are expanded to the values + for the user from his passwd entry. @@ -92,6 +94,7 @@ NNTPSERVER DEFAULT=localhost PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 + XDG_DATA_HOME @{HOME}/share/ -- cgit v1.2.3