-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to environment.d for setting envvars #32
Comments
How about writing a PAM module to be added to the required services session management? It could be argued that session brokering is a service of the system administrator and up to them to allow users to configure the session. The original argument about security stands, I don't think it should reimplement pam_userenv, but merely provide a way of setting fixed envvars (iirc you could have ACE using |
It could be a module to set just the XDG_CONFIG_HOME environment variable. That would be probably somewhat acceptable. Not sure if that module has to be part of the Linux PAM. |
Or a list of envvars defined by the sysadmin |
Hi! Thank you very much for commenting!
Writing a new PAM module would only work for systems where I have administrative rights. I cannot expect every other system administrator to include and enable some fiddled PAM module by a random opinionated user on the Web 😅 With my dotfiles, I generally avoid any approach that requires system-wide modifications, as I would need to rely on the local system administrator to have taken specific steps beyond what is already provided by default. Admittedly, I haven't applied this consistently (RedHat-based systems have already disabled
I agree with that, but unfortunately, the way the XDG basedir spec is defined (grumble, grumble) this has implications on where application files end up within a user's home directory. And my stance there is that users should generally be allowed to decide for themselves how they want to organise their personal files.
That would be a compromise that would solve this particular problem. But I also agree with your comment in the referenced PAM issue that it isn't really PAM's job to set user environment variables. It just happened to be a feature I was glad existed and I could use, but I do see the security implications of misconfigured PAM setups as well (and I think even only I'm painfully reminded of https://xkcd.com/1172/ right now.
Unless the upstream defaults include at least Overall, I was rather planning to see if I could make environment.d additionally also consider a file/directory like |
I think we're ignoring the fact that user sessions don't necessarily need to be These applications start under a user session long before the user for whom A solution using the existing PAM stack would require configuration by the I don't think that solution belongs in systemd, but in consolekit / logind, How about exploring other systemd subsystems to piggy back on? |
But isn't logind only for login sessions? Please correct me if I'm wrong, I'm basing my assumption only on what I've read in the systemd-logind manpage. The goal is to have my environment variables be respected by as many processes as possible, not just interactive sessions (otherwise I could just stick to But I fully agree with you on this:
So far I have indeed overlooked that for most (relevant) PAM applications, I have been lucky that
To be honest, I am now genuinely lost as to what component should ideally handle this. The way I see it, anything that launches a process under my user would have to respect that, and that doesn't sound particularly realistic. So I assume I will have to strive for a "good enough" solution, and based on my current knowledge, I am still under the impression that (both by its name and its functionality) environment.d does this job just fine. --edit: But I'm open for suggestions, if you see any specific components that are better suited for this. |
Moved (large parts of) I ran into a second boostrapping issue: The result is that we now set |
I don't know much about this repository but I've been looking for a drop-in folder How about...
Does it work for you? Works great for me in all places that I tested so far (terminal emulator, virtual console). |
Hi @adrelanos, thanks for your input and interest in this! But do I understand you correctly that you want to set environment variables that apply to the entire system? My goal is to have a user-controlled knob for setting environment variables. Configuration files outside of my If you don't mind some feedback on your approach, though: Files in --edit: Ah, but I see that further down in that linked discussion, you're describing how that file would be installed by an OS package, in which case |
In some cases, yes. But indeed. Your feature request, makes a lot sense. Having some environment applied only to PAM sessions and not each and every (systemd) daemon would be cleaner. In the specific use case why this came up again we were looking for a solution was how to set
I can see the issue. Having Where do you need it? Xorg? Wayland? Virtual console? I suppose so. In that case, would a systemd drop-in for getty with
Indeed. Thank you for your reply! |
With PAM developers having switched to setting
user_readenv
to 0 by default recently, and now with them voicing their intent to remove~/.pam_environment
entirely, it's a good moment to seriously start thinking about moving variable declaration to environment.d.The downsides are:
$XDG_CONFIG_HOME/environment.d
, so there is a bit of a bootstrapping issue here: with pam_env disappearing, one can no longer define$XDG_CONFIG_HOME
before environment.d runs (so it will either default to the specification-defined default (~/.config
), or whatever the local sysadmin decides to set system-wide). We'll need a not-too-painful way of adapting to the individual cases; probably by symlinking~/system-specific-xdg_config_home/environment.d
to~/.local/etc/environment.d
as part of the initial dotfiles setup.eval
ing the output ofsystemctl show-environment
, or by reading the environment.d files directly (given that theshow-environment
output isn't POSIX conform, so we can't put that inetc/sh/profile.d
).It's less than ideal, but as far as I can see, it's the only thing that is currently left for setting environment variables.
The text was updated successfully, but these errors were encountered: