Roman Cheplyaka

Make ~/.pam_environment work again

Published on ; updated on

In the early days of Linux, when we used to start X with startx, your GUI environment was directly inherited from your console environment. So if you wanted to set or change an environment variable, you’d just put it in ~/.profile.

Nowadays we use display managers such as gdm, and the recommended way to set environment variables is in ~/.pam_environment, which is read by the pam_env module. The syntax of that file is

PATH OVERRIDE=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin
LANG OVERRIDE=en_US.UTF-8

After a recent update I noticed that even this stopped working. Turns out that this feature was marked as a security issue and disabled by default.

On a typical laptop or personal computer, where there are no hostile local users, you can enable it back.

Check whether your PAM configuration is managed by authselect

On newer systems (at least the RedHat-derived ones; not sure about the others) authselect is used to manage the configuration files in /etc/pam.d. To check if your system uses authselect, run

authselect check

On a system that uses authselect, you will get something like

Current configuration is valid.

On a system that doesn’t use authselect, you’ll get either an error message indicating that there’s no authselect installed (e.g. authselect: No such file or directory) or some kind of message from authselect telling you that it’s not being used.

If authselect is used

  1. Create a custom authselect profile:

    authselect create-profile minimal_with_env -b minimal --symlink-meta --symlink-pam

  2. Edit the file /etc/authselect/custom/minimal_with_env/password-auth. Find the line that says

    auth       required    pam_env.so

    and change it to

    auth       required    pam_env.so user_readenv=1

  3. Switch to the new profile:

    authselect select custom/minimal_with_env

If authselect is not used

  1. Find the file in /etc/pam.d that corresponds to your display manager, such as /etc/pam.d/lightdm for lightdm. If you are logging in via the tty directly, skipping a display manager, see /etc/pam.d/login, but note that e.g. on Fedora 31 the setting is delegated to /etc/pam.d/system-auth, which is then sourced.

  2. Find the line in that file that says

    auth       required    pam_env.so

    and change it to

    auth       required    pam_env.so user_readenv=1

  3. Restart your display manager.

You may also need to disable SELinux; otherwise you may be seeing errors like these in journalctl:

Dec 05 10:47:31 jerry audit[69035]: AVC avc:  denied  { read } for  pid=69035 comm="login" name=".pam_environment" dev="dm-2" ino=12063987 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Dec 05 10:47:31 jerry audit[69035]: AVC avc:  denied  { open } for  pid=69035 comm="login" path="/home/roman/.pam_environment" dev="dm-2" ino=12063987 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1