1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
pam_env — PAM module to set/unset environment variables
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_env PAM module allows the (un)setting of environment variables.
Supported is the use of previously set environment variables as well as
PAM_ITEMs such as PAM_RHOST.
Rules for (un)setting of variables can be defined in an own config file. The
path to this file can be specified with the conffile option. If this file does
not exist, the default rules are taken from the config files /etc/security/
pam_env.conf and /etc/security/pam_env.conf.d/*.conf. If the file /etc/security
/pam_env.conf does not exist, the rules are taken from the files %vendordir%/
security/pam_env.conf, %vendordir%/security/pam_env.conf.d/*.conf and /etc/
security/pam_env.conf.d/*.conf in that order.
By default rules for (un)setting of variables are taken from the config file /
etc/security/pam_env.conf. If this file does not exist %vendordir%/security/
pam_env.conf is used. An alternate file can be specified with the conffile
option, which overrules all other files.
By default rules for (un)setting of variables are taken from the config file /
etc/security/pam_env.conf. An alternate file can be specified with the conffile
option.
Environment variables can be defined in a file with simple KEY=VAL pairs on
separate lines. The path to this file can be specified with the envfile option.
If this file has not been defined, the settings are read from the files /etc/
security/environment and /etc/security/environment.d/*. If the file /etc/
environment does not exist, the settings are read from the files %vendordir%/
environment, %vendordir%/environment.d/* and /etc/environment.d/* in that
order. And last but not least, with the readenv option this mechanism can be
completely disabled.
Second a file (/etc/environment by default) with simple KEY=VAL pairs on
separate lines will be read. If this file does not exist, %vendordir%/etc/
environment is used. With the envfile option an alternate file can be
specified, which overrules all other files. And with the readenv option this
can be completely disabled.
Second a file (/etc/environment by default) with simple KEY=VAL pairs on
separate lines will be read. With the envfile option an alternate file can be
specified. And with the readenv option this can be completely disabled.
Third it will read a user configuration file ($HOME/.pam_environment by
default). The default file can be changed with the user_envfile option and it
can be turned on and off with the user_readenv option.
Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack.
OPTIONS
conffile=/path/to/pam_env.conf
Indicate an alternative pam_env.conf style configuration file to override
the default. This can be useful when different services need different
environments.
debug
A lot of debug information is printed with syslog(3).
envfile=/path/to/environment
Indicate an alternative environment file to override the default. The
syntax are simple KEY=VAL pairs on separate lines. The export instruction
can be specified for bash compatibility, but will be ignored. This can be
useful when different services need different environments.
readenv=0|1
Turns on or off the reading of the file specified by envfile (0 is off, 1
is on). By default this option is on.
user_envfile=filename
Indicate an alternative .pam_environment file to override the default.The
syntax is the same as for /etc/security/pam_env.conf. The filename is
relative to the user home directory. This can be useful when different
services need different environments.
user_readenv=0|1
Turns on or off the reading of the user specific environment file. 0 is
off, 1 is on. By default this option is off as user supplied environment
variables in the PAM environment could affect behavior of subsequent
modules in the stack without the consent of the system administrator.
Due to problematic security this functionality is deprecated since the
1.5.0 version and will be removed completely at some point in the future.
EXAMPLES
These are some example lines which might be specified in /etc/security/
pam_env.conf.
Set the REMOTEHOST variable for any hosts that are remote, default to
"localhost" rather than not being set at all
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
Set the DISPLAY variable if it seems reasonable
DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
Now some simple variables
PAGER DEFAULT=less
MANPAGER DEFAULT=less
LESS DEFAULT="M q e h15 z23 b80"
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
XDG_DATA_HOME DEFAULT=@{HOME}/share/
Silly examples of escaped variables, just to show how they work.
DOLLAR DEFAULT=\$
DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
ATSIGN DEFAULT="" OVERRIDE=\@
|