6.6. pam_env - set/unset environment variables

pam_env.so [ debug ] [ conffile=conf-file ] [ envfile=env-file ] [ readenv=0|1 ] [ user_envfile=env-file ] [ user_readenv=0|1 ]

6.6.1. DESCRIPTION

The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST.

By default rules for (un)setting of variables is taken from the config file /etc/security/pam_env.conf if no other file is specified.

This module can also parse a file with simple KEY=VAL pairs on separate lines (/etc/environment by default). You can change the default file to parse, with the envfile flag and turn it on or off by setting the readenv flag to 1 or 0 respectively.

Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.

6.6.2. DESCRIPTION

The /etc/security/pam_env.conf file specifies the environment variables to be set, unset or modified by pam_env(8). When someone logs in, this file is read and the environment variables are set according.

Each line starts with the variable name, there are then two possible options for each variable DEFAULT and OVERRIDE. DEFAULT allows and administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The OVERRIDE option tells pam_env that it should enter in its value (overriding the default value) if there is one to use. OVERRIDE is not used, "" is assumed and no override will be done.

VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]

(Possibly non-existent) environment variables may be used in values using the ${string} syntax and (possibly non-existent) PAM_ITEMs may be used in values using the @{string} syntax. Both the $ and @ characters can be backslash escaped to be used as literal values values can be delimited with "", escaped " not supported. Note that many environment variables that you would like to use may not be set by the time the module is called. For example, HOME is used below several times, but many PAM applications don't make it available by the time you need it.

The "#" character at start of line (no space at front) can be used to mark this line as a comment line.

The /etc/environment file specifies the environment variables to be set. The file must consist of simple NAME=VALUE pairs on separate lines. The pam_env(8) module will read the file after the pam_env.conf file.

6.6.3. OPTIONS

conffile=/path/to/pam_env.conf

Indicate an alternative pam_env.conf style configuration file to override the default. This can be useful when different services need different environments.

debug

A lot of debug information is printed with syslog(3).

envfile=/path/to/environment

Indicate an alternative environment file to override the default. This can be useful when different services need different environments.

readenv=0|1

Turns on or off the reading of the file specified by envfile (0 is off, 1 is on). By default this option is on.

user_envfile=filename

Indicate an alternative .pam_environment file to override the default. This can be useful when different services need different environments. The filename is relative to the user home directory.

user_readenv=0|1

Turns on or off the reading of the user specific environment file. 0 is off, 1 is on. By default this option is off as user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator.

6.6.4. MODULE TYPES PROVIDED

The auth and session module types are provided.

6.6.5. RETURN VALUES

PAM_ABORT

Not all relevant data or options could be gotten.

PAM_BUF_ERR

Memory buffer error.

PAM_IGNORE

No pam_env.conf and environment file was found.

PAM_SUCCESS

Environment variables were set.

6.6.6. FILES

/etc/security/pam_env.conf

Default configuration file

/etc/environment

Default environment file

$HOME/.pam_environment

User specific environment file

6.6.7. EXAMPLES

These are some example lines which might be specified in /etc/security/pam_env.conf.

Set the REMOTEHOST variable for any hosts that are remote, default to "localhost" rather than not being set at all

      REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
    

Set the DISPLAY variable if it seems reasonable

      DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
    

Now some simple variables

      PAGER          DEFAULT=less
      MANPAGER       DEFAULT=less
      LESS           DEFAULT="M q e h15 z23 b80"
      NNTPSERVER     DEFAULT=localhost
      PATH           DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
      :/usr/bin:/usr/local/bin/X11:/usr/bin/X11
    

Silly examples of escaped variables, just to show how they work.

      DOLLAR         DEFAULT=\$
      DOLLARDOLLAR   DEFAULT=        OVERRIDE=\$${DOLLAR}
      DOLLARPLUS     DEFAULT=\${REMOTEHOST}${REMOTEHOST}
      ATSIGN         DEFAULT=""      OVERRIDE=\@
    

6.6.8. AUTHOR

pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>.