I struggle to see the difference between pam_env.conf
and /etc/environment
. To me they both do the same thing, with a difference syntax. The manpages were no help. So what is the difference?
Additionally, I'd like to find a way to add paths to the PATH
environment variable for all users. Adding them to the two aforementioned files works for all users, but doesn't work with sudo, as can be verified by running sudo sh -c 'echo $PATH'
.
To solve that problem, I believe I should edit the file /etc/pam.d/sudo
, but what should I put in there?
Best Answer
There are 2 fundamental differences between
/etc/security/pam_env.conf
and/etc/environment
.The order in which PAM processes them.
/etc/environment
is parsed first, but anything defined here is overridden by definitions for those same variables if they also exist inpam_env.conf
. However, it's possible to subsume + extend the variables from/etc/environment
in/etc/security/pam_env.conf
, e.g.:Variable expansion
a.
/etc/environment
is not a script, but a set of assignment expressions, i.e.${PATH}
is not expanded, but used literally.b.
/etc/security/pam_env.conf
is a different animal altogether. It's not a script per se; it's still just a set of KEY=VALUE assignments, but PAM can expand existing variables (ex:${PATH}
,${DISPLAY}
) and other PAM_ITEMs (ex:@{PAM_SERVICE}
,@{PAM_USER}
, etc.). Take special note of$
vs@
here.PAM also handles the special variables
@{HOME}
and@{SHELL}
, which expand to whatever is defined in/etc/passwd
. *Note: in most PAM applications, the traditional variables${HOME}
and${SHELL}
(compare@
vs$
) are not available this early in PAM's flow.Using the example given in the comments of
/etc/security/pam_env.conf
, this replacing/expanding behavior can be used to modify theDISPLAY
variable for remote login sessions.To the specific problem you described here, the values you configured in
/etc/environment
weren't available in thesudo
temporary environment because thesession
facility given by the PAM application definition for/etc/pam.d/sudo
never callspam_env.so
for sessions.In
/etc/pam.d/sudo
, sessions only import the rules from/etc/pam.d/system-auth
. Following the trail, in/etc/pam.d/system-auth
, the session stack doesn't have an entry forpam_env.so
.There are a few ways to customize the variables available in a
sudo
environment.If you need some custom set of environment variables that only exist in sudo-land, it's fairly straightforward.
Create a file to contain your exclusive-to-sudo environment variables.
Make a copy of
/etc/pam.d/system-auth
, rename it along the lines of/etc/pam.d/sudo-environment
, and add a directive to the bottom of thesession
stack:If you want pass variables from the non-sudo environment, include the
user_readenv=1
flagIn the PAM application definition
/etc/pam.d/sudo
, make the replacement:Open a new terminal to test
An alternative to tinkering around with the PAM modules is to edit
/etc/sudoers
with# visudo
, as you did. I realize this is an old question and way-back-when, commentingDefault env_reset
was the the thing to do.Moving forward, the accepted best practice when using
sudoers
to pull in variable definitions from the environment is to append the variables toenv_keep
. (...that is, unless you need a unique set of variables as shown above)