Make ~/.pam_environment work again

Published on ; updated on

In the early days of Linux, when we used to start X with startx, your GUI environment was directly inherited from your console environment. So if you wanted to set or change an environment variable, you’d just put it in ~/.profile.

Nowadays we use display managers such as gdm, and the recommended way to set environment variables is in ~/.pam_environment, which is read by the pam_env module. The syntax of that file is

PATH OVERRIDE=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin
LANG OVERRIDE=en_US.UTF-8

After a recent update I noticed that even this stopped working. Turns out that this feature was marked as a security issue and disabled by default.

On a typical laptop or personal computer, where there are no hostile local users, you can enable it back.

  1. Find the file in /etc/pam.d that corresponds to your display manager, such as /etc/pam.d/lightdm for lightdm. If you are logging in via the tty directly, skipping a display manager, see /etc/pam.d/login, but note that e.g. on Fedora 31 the setting is delegated to /etc/pam.d/system-auth, which is then sourced.

  2. Find the line in that file that says

    auth       required    pam_env.so

    and change it to

    auth       required    pam_env.so user_readenv=1
  3. Restart your display manager.

You may also need to disable SELinux; otherwise you may be seeing errors like these in journalctl:

Dec 05 10:47:31 jerry audit[69035]: AVC avc:  denied  { read } for  pid=69035 comm="login" name=".pam_environment" dev="dm-2" ino=12063987 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Dec 05 10:47:31 jerry audit[69035]: AVC avc:  denied  { open } for  pid=69035 comm="login" path="/home/roman/.pam_environment" dev="dm-2" ino=12063987 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1