1. Manuals
  2. Tumbleweed
  3. pam-manpages
  4. pam_env(8)

Scroll to navigation

PAM_ENV(8) Linux-PAM Manual PAM_ENV(8)

NAME

pam_env - PAM module to set/unset environment variables

SYNOPSIS

pam_env.so [debug] [conffile=conf-file] [envfile=env-file] [readenv=0|1] [user_envfile=env-file] [user_readenv=0|1]

DESCRIPTION

The pam_env PAM module allows the (un)setting of environment variables. Supported is the use of previously set environment variables as well as PAM_ITEMs such as PAM_RHOST.

Rules for (un)setting of variables can be defined in an own config file. The path to this file can be specified with the conffile option. If this file does not exist, the default rules are taken from the config files /etc/security/pam_env.conf and /etc/security/pam_env.conf.d/*.conf. If the file /etc/security/pam_env.conf does not exist, the rules are taken from the files /usr/etc/security/pam_env.conf, /usr/etc/security/pam_env.conf.d/*.conf and /etc/security/pam_env.conf.d/*.conf in that order.

Environment variables can be defined in a file with simple KEY=VAL pairs on separate lines. The path to this file can be specified with the envfile option. If this file has not been defined, the settings are read from the files /etc/security/environment and /etc/security/environment.d/*. If the file /etc/environment does not exist, the settings are read from the files /usr/etc/environment, /usr/etc/environment.d/* and /etc/environment.d/* in that order. And last but not least, with the readenv option this mechanism can be completely disabled.

Third it will read a user configuration file ($HOME/.pam_environment by default). The default file can be changed with the user_envfile option and it can be turned on and off with the user_readenv option.

Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.

This module is only executed if the main application calls pam_setcred(3) or pam_open_session(3). The module does nothing and returns PAM_IGNORE if called by pam_authenticate(3).

OPTIONS

conffile=/path/to/pam_env.conf

Indicate an alternative pam_env.conf style configuration file to override the default. This can be useful when different services need different environments.

debug

A lot of debug information is printed with syslog(3).

envfile=/path/to/environment

Indicate an alternative environment file to override the default. The syntax are simple KEY=VAL pairs on separate lines. The export instruction can be specified for bash compatibility, but will be ignored. This can be useful when different services need different environments.

readenv=0|1

Turns on or off the reading of the file specified by envfile (0 is off, 1 is on). By default this option is on.

user_envfile=filename

Indicate an alternative .pam_environment file to override the default. The syntax is the same as for /etc/security/pam_env.conf. The filename is relative to the user home directory. This can be useful when different services need different environments.

user_readenv=0|1

Turns on or off the reading of the user specific environment file. 0 is off, 1 is on. By default this option is off as user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator.

Due to problematic security this functionality is deprecated since the 1.5.0 version and will be removed completely at some point in the future.

MODULE TYPES PROVIDED

The auth and session module types are provided.

RETURN VALUES

PAM_ABORT

Not all relevant data or options could be gotten.

PAM_BUF_ERR

Memory buffer error.

PAM_IGNORE

No pam_env.conf and environment file was found or the module got called by pam_authenticate(3).

PAM_SUCCESS

Environment variables were set.

FILES

/usr/etc/security/pam_env.conf, /etc/security/pam_env.conf

Default configuration file

/usr/etc/environment, /etc/environment

Default environment file

$HOME/.pam_environment

User specific environment file

SEE ALSO

pam_env.conf(5), pam.d(5), pam(8), environ(7).

AUTHOR

pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>.

10/24/2024 Linux-PAM