LinuxCommandLibrary

pam_env

Set environment variables during session initialization

SYNOPSIS

pam_env.so [debug] [conffile=FILE] [envfile=FILE] [readenv=0|1] [user_env=STR]

PARAMETERS

debug
    Log debug information to the system log via syslog(3).

conffile=FILE
    Read configuration from FILE instead of /etc/security/pam_env.conf.

envfile=FILE
    Read simple NAME=VALUE assignments from FILE (overrides conffile).

readenv=0|1
    0: ignore user_env vars (default); 1: read and set vars listed in user_env from calling env.

user_env=STR
    Comma/space-separated list of vars (e.g., "DISPLAY XAUTHORITY") to copy from calling process env.

DESCRIPTION

pam_env is a Pluggable Authentication Modules (PAM) module in Linux that enables administrators to define and set additional environment variables for authenticating users. It is commonly stacked in the session phase of PAM configurations (e.g., /etc/pam.d/login or /etc/pam.d/sshd) to customize the runtime environment.

The module supports two primary configuration sources: a structured conf file (/etc/security/pam_env.conf by default) with lines like VAR [DEFAULT=value] [OVERRIDE=value], where DEFAULT sets the variable only if unset, and OVERRIDE always replaces it; or an envfile with simple NAME=VALUE assignments. Values can include special expansions like @{HOSTSUBDOMAIN}, @{HOST}, or @{USER}.

Additionally, pam_env can selectively import variables from the invoking process's environment via the user_env parameter (e.g., preserving DISPLAY or XDG_SESSION_TYPE), with readenv controlling dynamic reading of this list. This is crucial for graphical logins or preserving session context.

Changes apply to the PAM-managed environment, propagating to child processes like shells. Debug mode logs actions to syslog for troubleshooting. It enhances security by avoiding untrusted user env vars while allowing controlled overrides.

CAVEATS

Variables are set in PAM context; propagation depends on session type. Untrusted expansions can pose security risks if misconfigured. Not all shells/applications inherit PAM env fully.

CONF FILE FORMAT

Each line: VAR [DEFAULT=value] [OVERRIDE=value]
Expansions: @{HOST}, @{USER}, etc.
Example: LD_LIBRARY_PATH DEFAULT=/usr/local/lib OVERRIDE=/usr/lib

PAM USAGE EXAMPLE

In /etc/pam.d/login:
session optional pam_env.so readenv=1 user_env=DISPLAY XDG_SEAT XDG_SESSION_CLASS

HISTORY

Developed as part of Linux-PAM (initiated ~1996 by Red Hat), pam_env appeared in early releases (~PAM 0.68, 2000). Evolved to support expansions and user_env for desktop integration.

SEE ALSO

pam(8), pam.d(5), pam_env.conf(5), pam_limits(8)

Copied to clipboard