Re: Systemd user environment variables not picked up for me
On Tue, Jun 30, 2020 at 08:14:41AM +0200, l0f4r0@tuta.io wrote:
> It seems you can reconstruct those "early" variables like the following:
> HOME=/home/@{PAM_USER}
>
> Or use @{HOME} directly since PAM 1.2.0.
>
> Source: https://unix.stackexchange.com/questions/258246/why-does-pam-environment-not-include-home-in-my-new-path
Huh... interesting stuff. Apparently I haven't been reading the
correct man pages, to start with.
None of this stuff is mentioned *at all* in pam_env(7). The only thing
you can find there is "SEE ALSO pam_env.conf(5)".
pam_env.conf(5) is far more interesting, especially this paragraph:
The /etc/environment file specifies the environment variables to be
set. The file must consist of simple NAME=VALUE pairs on separate
lines. The pam_env(8) module will read the file after the pam_env.conf
file.
So... wait, there are *two* config files, and they're *completely
different*?! Jesus.
Taking your comments, plus the linked web page, plus the pam_env.conf(5)
man page, plus the commentary in the /etc/security/pam_env.conf file, I
performed the following experiment:
First, I added two lines to the end of /etc/security/pam_env.conf:
TEST1 DEFAULT=${HOME}/foo
TEST2 DEFAULT=@{HOME}/foo
Then I opened a new terminal window, and ran "su - greg" inside it.
unicorn:~$ su - greg
Password:
unicorn:~$ env | grep TEST
TEST2=/home/greg/foo
TEST1=/foo
Huh. It actually *worked*. Astonishing.
I feel like the /etc/environment file needs some comments in it saying
"This is a useless legacy file; if you actually want to add environment
variables to user logins, see pam_env.conf(5) and put your changes in
/etc/security/pam_env.conf instead." But then again, that would probably
be treated as live code rather than a comment, and something would
explode.
And then /etc/security/pam_env.conf needs comments that say "Use @{HOME}
instead of ${HOME}." That can either replace or augment the current
comment that says "For example, HOME is used below several times, but
many PAM applications don't make it available by the time you need it."
Of course, none of this will actually happen, because it is Upstream
Documentation, and Debian won't want to touch it.
Reply to: