            pam_env — PAM module to set/unset environment variables

   ══════════════════════════════════════════════════════════════════════════

DESCRIPTION

   The pam_env PAM module allows the (un)setting of environment variables.
   Supported is the use of previously set environment variables as well as
   PAM_ITEMs such as PAM_RHOST.

   Rules for (un)setting of variables can be defined in an own config file.
   The path to this file can be specified with the conffile option. If this
   file does not exist, the default rules are taken from the config files
   /etc/security/pam_env.conf and /etc/security/pam_env.conf.d/*.conf. If the
   file /etc/security/pam_env.conf does not exist, the rules are taken from
   the files %vendordir%/security/pam_env.conf,
   %vendordir%/security/pam_env.conf.d/*.conf and
   /etc/security/pam_env.conf.d/*.conf in that order.

   By default rules for (un)setting of variables are taken from the config
   file /etc/security/pam_env.conf. If this file does not exist
   %vendordir%/security/pam_env.conf is used. An alternate file can be
   specified with the conffile option, which overrules all other files.

   By default rules for (un)setting of variables are taken from the config
   file /etc/security/pam_env.conf. An alternate file can be specified with
   the conffile option.

   Environment variables can be defined in a file with simple KEY=VAL pairs
   on separate lines. The path to this file can be specified with the envfile
   option. If this file has not been defined, the settings are read from the
   files /etc/security/environment and /etc/security/environment.d/*. If the
   file /etc/environment does not exist, the settings are read from the files
   %vendordir%/environment, %vendordir%/environment.d/* and
   /etc/environment.d/* in that order. And last but not least, with the
   readenv option this mechanism can be completely disabled.

   Second a file (/etc/environment by default) with simple KEY=VAL pairs on
   separate lines will be read. If this file does not exist,
   %vendordir%/etc/environment is used. With the envfile option an alternate
   file can be specified, which overrules all other files. And with the
   readenv option this can be completely disabled.

   Second a file (/etc/environment by default) with simple KEY=VAL pairs on
   separate lines will be read. With the envfile option an alternate file can
   be specified. And with the readenv option this can be completely disabled.

   Third it will read a user configuration file ($HOME/.pam_environment by
   default). The default file can be changed with the user_envfile option and
   it can be turned on and off with the user_readenv option.

   Since setting of PAM environment variables can have side effects to other
   modules, this module should be the last one on the stack.

   This module is only executed if the main application calls pam_setcred(3)
   or pam_open_session(3). The module does nothing and returns PAM_IGNORE if
   called by pam_authenticate(3).

OPTIONS

   conffile=/path/to/pam_env.conf

   Indicate an alternative pam_env.conf style configuration file to override
   the default. This can be useful when different services need different
   environments.

   debug

   A lot of debug information is printed with syslog(3).

   envfile=/path/to/environment

   Indicate an alternative environment file to override the default. The
   syntax are simple KEY=VAL pairs on separate lines. The export instruction
   can be specified for bash compatibility, but will be ignored. This can be
   useful when different services need different environments.

   readenv=0|1

   Turns on or off the reading of the file specified by envfile (0 is off, 1
   is on). By default this option is on.

   user_envfile=filename

   Indicate an alternative .pam_environment file to override the default. The
   syntax is the same as for /etc/security/pam_env.conf. The filename is
   relative to the user home directory. This can be useful when different
   services need different environments.

   user_readenv=0|1

   Turns on or off the reading of the user specific environment file. 0 is
   off, 1 is on. By default this option is off as user supplied environment
   variables in the PAM environment could affect behavior of subsequent
   modules in the stack without the consent of the system administrator.

   Due to problematic security this functionality is deprecated since the
   1.5.0 version and will be removed completely at some point in the future.

EXAMPLES

   These are some example lines which might be specified in
   /etc/security/pam_env.conf.

   Set the REMOTEHOST variable for any hosts that are remote, default to
   "localhost" rather than not being set at all

       REMOTEHOST     DEFAULT=localhost OVERRIDE=@{PAM_RHOST}


   Set the DISPLAY variable if it seems reasonable

       DISPLAY        DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}


   Now some simple variables

       PAGER          DEFAULT=less
       MANPAGER       DEFAULT=less
       LESS           DEFAULT="M q e h15 z23 b80"
       NNTPSERVER     DEFAULT=localhost
       PATH           DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
       :/usr/bin:/usr/local/bin/X11:/usr/bin/X11
       XDG_DATA_HOME  DEFAULT=@{HOME}/share/


   Silly examples of escaped variables, just to show how they work.

       DOLLAR         DEFAULT=\$
       DOLLARDOLLAR   DEFAULT=        OVERRIDE=\$${DOLLAR}
       DOLLARPLUS     DEFAULT=\${REMOTEHOST}${REMOTEHOST}
       ATSIGN         DEFAULT=""      OVERRIDE=\@

INITIAL
BEFORE_HTML
BEFORE_HEAD
IN_HEAD
IN_HEAD
GENERIC_RCDATA
GENERIC_RCDATA
GENERIC_RCDATA
GENERIC_RCDATA
IN_HEAD
IN_HEAD
AFTER_HEAD
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
IN_BODY
AFTER_BODY
AFTER_AFTER_BODY
AFTER_AFTER_BODY
