pam_envfeed 0.4 reviewDownload
pam_envfeed is a PAM module that runs an external program, grabs its output, and then defines the environment variables this program
pam_envfeed is a PAM module that runs an external program, grabs its output, and then defines the environment variables this program has emitted.
pam_envfeed is especially useful for dynamically setting up a PATH that depends on many circumstances (such as whether the user is root, or whether a directory exists or not).
The module can be used as an 'auth', 'account' or 'session' module. I guess 'session' is the best place to set environment variables, but YMMV. To do so, put a line like this into /etc/pam.d/system-auth or whatever files are relevant:
session required /lib/security/pam_envfeed.so
When the pam_envfeed module is invoked to set the credentials, do the account management or open the session, it launches the external program /sbin/pam_envfeed by default, however, a different program can be chosen
with an argument to the module.
The program can be a binary as well as a script. Don't forget the execute perms, and the #! line if it's a script.
The program has its standard input and standard error connected to /dev/null, the standard output is a pipe connected to the parent process, and no other file descriptors are open.
The program receives four kinds of environment variables:
PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY and PAM_USER are defined
to their equivalent in the PAM system. Only those for whom
pam_get_item() successfully returned a non-NULL value are actually
set, so some of these might be unset.
Since I found it quite difficult to get the home directory of the
user whose name is contained in a shell variable in bash, I added
password entry lookup into pam_envfeed. If getpwnam() is successful
then data provided by this call is put into USERINFO_UID,
USERINFO_GID, USERINFO_GECOS, USERINFO_HOME and USERINFO_SHELL.
Furthermore the group id is also looked up and the group name is
stored in USERINFO_GROUP if getgrgid() is successful. The user's
login name is not duplicated in these variables, use PAM_USER
instead. This whole userinfo lookup can be disabled with the
nouserinfo option, just in case you have troubles with getent/nss
stuff or just don't want pam to use them here.
For all the real environment variables that the pamming process has,
a counterpart with an ENV_ prefix is defined. E.g. if your
authenticating applications has LC_ALL=hu_HU then you'll have
For all the pam environment variables that the pamming process has,
a counterpart with a PAMENV_ prefix is defined. E.g. if pam_env.so
has previously set DISPLAY=kenny:0.0 then you'll have
This is a very simple example script. It only sets PATH and MAIL to probably their most standard values on Linux systems.
if [ "$USERINFO_UID" = "0" ]; then
echo -n PATH="$p"
echo -ne '00'
echo -n MAIL="/var/mail/$PAM_USER"
See the example subdirectory for a more complex example.
pam_envfeed 0.4 search tags