Re: Systemd user environment variables not picked up for me

Tue, 30 Jun 2020 05:24:57 -0700 

On Tue, Jun 30, 2020 at 08:14:41AM +0200, l0f...@tuta.io wrote:
> It seems you can reconstruct those "early" variables like the following:
> HOME=/home/@{PAM_USER}
> 
> Or use @{HOME} directly since PAM 1.2.0.
> 
> Source: 
> https://unix.stackexchange.com/questions/258246/why-does-pam-environment-not-include-home-in-my-new-path

Huh... interesting stuff.  Apparently I haven't been reading the
correct man pages, to start with.

None of this stuff is mentioned *at all* in pam_env(7).  The only thing
you can find there is "SEE ALSO  pam_env.conf(5)".

pam_env.conf(5) is far more interesting, especially this paragraph:

       The /etc/environment file specifies the environment variables to be
       set. The file must consist of simple NAME=VALUE pairs on separate
       lines. The pam_env(8) module will read the file after the pam_env.conf
       file.

So... wait, there are *two* config files, and they're *completely
different*?!  Jesus.

Taking your comments, plus the linked web page, plus the pam_env.conf(5)
man page, plus the commentary in the /etc/security/pam_env.conf file, I
performed the following experiment:

First, I added two lines to the end of /etc/security/pam_env.conf:

TEST1           DEFAULT=${HOME}/foo
TEST2           DEFAULT=@{HOME}/foo

Then I opened a new terminal window, and ran "su - greg" inside it.

unicorn:~$ su - greg
Password: 
unicorn:~$ env | grep TEST
TEST2=/home/greg/foo
TEST1=/foo

Huh.  It actually *worked*.  Astonishing.

I feel like the /etc/environment file needs some comments in it saying
"This is a useless legacy file; if you actually want to add environment
variables to user logins, see pam_env.conf(5) and put your changes in
/etc/security/pam_env.conf instead."  But then again, that would probably
be treated as live code rather than a comment, and something would
explode.

And then /etc/security/pam_env.conf needs comments that say "Use @{HOME}
instead of ${HOME}."  That can either replace or augment the current
comment that says "For example, HOME is used below several times, but
many PAM applications don't make it available by the time you need it."

Of course, none of this will actually happen, because it is Upstream
Documentation, and Debian won't want to touch it.

Reply via email to