pam_env

pam_env.so is configured in PAM service files.
Syntax in /etc/pam.d/* files:
auth optional pam_env.so [options]
session optional pam_env.so [options]

debug
    Enables verbose debugging output to syslog.

file=path
envfile=path
    Specifies an alternative system-wide environment file to load instead of /etc/environment.

conf=path
conffile=path
    Specifies an alternative configuration file to load instead of /etc/security/pam_env.conf.

user_envrc
    Enables processing of ~/.pam_envrc for user-specific environment variables. This file must be owned by the user and have strict permissions (0600).

override
    Allows variables defined in the pam_env.conf file to override those defined in /etc/environment. By default, /etc/environment variables take precedence.

var=value
    Explicitly sets a single environment variable directly within the PAM configuration line. This is less common for general use cases.

pam_env is a PAM (Pluggable Authentication Modules) module responsible for setting and unsetting environment variables for a user's session during the authentication or session management phase. It is not a standalone command executed directly by users, but rather a shared library (pam_env.so) configured within PAM service files, typically found in /etc/pam.d/ (e.g., /etc/pam.d/login, /etc/pam.d/sshd).

The module reads environment variable definitions from various sources, primarily the system-wide /etc/environment file and its dedicated configuration file, /etc/security/pam_env.conf. It allows system administrators to define default environment variables like PATH, LANG, or TZ that apply to all users or specific services before the user's shell is launched. This ensures a consistent environment for all applications and processes initiated via PAM-aware services.

pam_env supports variable expansion, allowing new variables to be defined based on existing ones or dynamic information. It is crucial for ensuring that the necessary environment is established for user sessions, especially in environments where users may not have custom shell configuration files (like .bashrc or .profile) or where system-wide defaults are enforced.

pam_env processes environment variables at the PAM level, which is before shell-specific configuration files (.bashrc, .profile, .zshrc) are sourced. Variables set by pam_env can be overridden by later shell configurations.

Using the user_envrc option requires careful attention to file permissions (0600) to prevent security vulnerabilities, as it can be used for privilege escalation if not properly secured.

Variable expansion in pam_env.conf uses its own syntax ($(VAR) or ${VAR}) and does not support arbitrary shell commands or complex logic.

The two primary configuration files for pam_env are:

• /etc/environment: A simple file containing KEY=VALUE pairs, one per line. It is system-wide and typically processed first.
• /etc/security/pam_env.conf: A more powerful configuration file supporting syntax like VAR=[value] and VAR={DEFAULT=[value] LOCALE=[value]}, as well as variable expansion. It allows for more granular control, including setting variables based on locale.

pam_env supports two forms of variable expansion within its configuration files:

• $(VAR): Expands to the value of the environment variable VAR.
• ${VAR}: Similar to $(VAR), expands to the value of VAR.

When pam_env processes environment variables, it typically follows this order:

1. Variables from /etc/environment are loaded.
2. Variables from /etc/security/pam_env.conf are loaded. By default, these do not override variables from /etc/environment unless the override module option is used.
3. If user_envrc is enabled, variables from ~/.pam_envrc are processed last, overriding previously set variables.

pam_env is an integral part of the Linux-PAM (Pluggable Authentication Modules) project, which provides a flexible and modular framework for authentication services in Linux. Its development has focused on providing a standardized way to manage user session environments at the authentication layer, ensuring consistency and security across various services that leverage PAM. It has been a stable component of the PAM framework for many years.

pam(8), pam_env.conf(5), environment(5), pam_systemd(8), login(1), sshd(8)