| View previous topic :: View next topic |
| Author |
Message |
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3703
Location: Rasi, Finland
|
 Posted: Thu Nov 14, 2024 9:12 am Post subject: Tapping into the environment just before user shell starts |
 |
|
So my quest is to be able to run some commands (shell script) and export user specific environment variables just before user shell starts. So sh/bash profile/rc scripts are out.
I've been using pam_exec to perform some XDG temp dir initializations before user shell starts, but I cannot export environment variables from there, since the pam_exec will exit (lose all the exported variables) and then the parent process will exec user shell.
My solution has been to use custom /etc/security/pam_env.conf, which does allow to set per user environment variables.
Then problem is, that if I make this into a package, it cannot simply override /etc/security/pam_env.conf, so I'd need a separate config file, but pam_env does not have any pam_env.d -like directory to support drop-in configs.
I'm making this so that I could simply install "fully seatded" system (meaning no systemd-logind or elogind) to my other boxes without too much touching of config files.
Thanks in advance.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
 |
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 451
Location: Naarm/Melbourne, Australia
|
| Posted: Fri Nov 15, 2024 2:41 am Post subject: |
|
|
This is relevant to my interests. :-) Including possibly expanding the "Configuring a system without elogind" and "Seatd" pages on the wiki.
Firstly: are you only wanting to set XDG_* variables? If so, perhaps pam_xdg might do what you need?
More generally, the pam_env(8) man page says that, apart from using pam_env.conf (or an alternate file as specified),
| Quote: | [A] file (/etc/environment by default) with simple KEY=VAL pairs on separate lines will be read. With the envfile option an alternate file can be specified. And with the readenv option this can be completely disabled.
Third it will read a user configuration file ($HOME/.pam_environment by default). The default file can be changed with the user_envfile option and it can be turned on and off with the user_readenv option. |
i'm wondering whether either of these possibilities might work in your context? E.g. setting envfile to a file that you provide?
_________________
https://wiki.gentoo.org/wiki/User:Flexibeast |
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3703
Location: Rasi, Finland
|
| Posted: Sat Nov 16, 2024 10:35 am Post subject: |
|
|
| flexibeast wrote: | | Third it will read a user configuration file ($HOME/.pam_environment by default). |
That might be a viable route, but | man pam_env: | user_envfile=filename
Indicate an alternative
.pam_environment file to override
the default. The syntax is the
same as for
/etc/security/pam_env.conf. The
filename is relative to the user
home directory. This can be useful
when different services need
different environments.
user_readenv=0|1
Turns on or off the reading of the
user specific environment file. 0
is off, 1 is on. By default this
option is off as user supplied
environment variables in the PAM
environment could affect behavior
of subsequent modules in the stack
without the consent of the system
administrator.
Due to problematic security this
functionality is deprecated since
the 1.5.0 version and will be
removed completely at some point
in the future. |
... also the user_envfile needs to be located under user home dir, which I don't want root to be touching upon every login.
My current method is | /etc/security/pam_env.conf: | # XDG and TEMP
TMPDIR DEFAULT=/tmp/user/@{PAM_USER}/tmp
XDG_RUNTIME_DIR DEFAULT=${TMPDIR}/run
XDG_STATE_HOME DEFAULT="@{HOME}/.local/var"
XDG_CACHE_HOME DEFAULT="${XDG_STATE_HOME}/cache"
XDG_CONFIG_HOME DEFAULT="@{HOME}/etc" |
... and then I utilize pam_exec to run scripts which create the required directories and tmpfs mounts.
Using /etc/security/pam_env.conf is very elegant way, but as I stated before, if I put my scripts into a package I cannot simply write above rules.
If there was a, say, /etc/security/pam_env.conf.d directory for drop-in config snippets, then this would be non-issue.
Also envfiles have different format to pam_env.conf. envfiles are "static". So envfiles would need to be created (and read) on-the-fly when user has succesfully authenticated and logged.
_________________
..: Zucca :..
| My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
