pam_env: expand @{HOME} and @{SHELL} and enhance documentation

(Ticket#24 and #29)

* modules/pam_env/pam_env.c: Replace @{HOME} and @{SHELL} with passwd entries
* modules/pam_env/pam_env.conf.5.xml: Document @{HOME} and @{SHELL}
* modules/pam_env/pam_env.8.xml: Enhance documentation

3 files changed, 46 insertions, 19 deletions

diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml
index 309643fd..6eac6c8d 100644
--- a/modules/pam_env/pam_env.8.xml
+++ b/modules/pam_env/pam_env.8.xml
@@ -53,17 +53,23 @@
       <emphasis>PAM_RHOST</emphasis>.
     </para>
     <para>
-      By default rules for (un)setting of variables is taken from the
-      config file <filename>/etc/security/pam_env.conf</filename> if
-      no other file is specified.
+      By default rules for (un)setting of variables are taken from the
+      config file <filename>/etc/security/pam_env.conf</filename>. An
+      alternate file can be specified with the <emphasis>conffile</emphasis>
+      option.
     </para>
     <para>
-      This module can also parse a file with simple
-      <emphasis>KEY=VAL</emphasis> pairs on separate lines
-      (<filename>/etc/environment</filename> by default). You can
-      change the default file to parse, with the <emphasis>envfile</emphasis>
-      flag and turn it on or off by setting the <emphasis>readenv</emphasis>
-      flag to 1 or 0 respectively.
+      Second a file (<filename>/etc/environment</filename> by default) with simple
+      <emphasis>KEY=VAL</emphasis> pairs on separate lines will be read.
+      With the <emphasis>envfile</emphasis> option an alternate file can be specified.
+      And with the <emphasis>readenv</emphasis> option this can be completly disabled.
+    </para>
+    <para>
+      Third it will read a user configuration file
+      (<filename>$HOME/.pam_environment</filename> by default).
+      The default file file can be changed with the
+      <emphasis>user_envfile</emphasis> option
+      and it can be turned on and off with the <emphasis>user_readenv</emphasis> option.
     </para>
     <para>
       Since setting of PAM environment variables can have side effects
@@ -107,8 +113,11 @@
         <listitem>
           <para>
             Indicate an alternative <filename>environment</filename>
-            file to override the default. This can be useful when different
-            services need different environments.
+            file to override the default. The syntax are simple
+	    <emphasis>KEY=VAL</emphasis> pairs on separate lines. The
+	    <emphasis>export</emphasis> instruction can be specified for bash
+	    compatibility, but will be ignored.
+	    This can be useful when different  services need different environments.
           </para>
         </listitem>
       </varlistentry>
@@ -133,9 +142,11 @@
         <listitem>
           <para>
             Indicate an alternative <filename>.pam_environment</filename>
-            file to override the default. This can be useful when different
-            services need different environments. The filename is relative to
-            the user home directory.
+            file to override the default.The syntax is the same as
+	    for <emphasis>/etc/environment</emphasis>.
+	    The filename is relative to the user home directory.
+	    This can be useful when different services need different
+	    environments.
           </para>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index e04f5b53..1bfdf089 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -676,7 +676,7 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name)
   const void *itemval;
 
   D(("Called."));
-  if (strcmp(name, "PAM_USER") == 0) {
+  if (strcmp(name, "PAM_USER") == 0 || strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0) {
     item = PAM_USER;
   } else if (strcmp(name, "PAM_USER_PROMPT") == 0) {
     item = PAM_USER_PROMPT;
@@ -696,6 +696,19 @@ static const char * _pam_get_item_byname(pam_handle_t *pamh, const char *name)
     D(("pam_get_item failed"));
     return NULL;     /* let pam_get_item() log the error */
   }
+
+  if (itemval && (strcmp(name, "HOME") == 0 || strcmp(name, "SHELL") == 0)) {
+    struct passwd *user_entry;
+    user_entry = pam_modutil_getpwnam (pamh, (char *) itemval);
+    if (!user_entry) {
+      pam_syslog(pamh, LOG_ERR, "No such user!?");
+      return NULL;
+    }
+    return (strcmp(name, "SHELL") == 0) ?
+      user_entry->pw_shell :
+      user_entry->pw_dir;
+  }
+
   D(("Exit."));
   return itemval;
 }
diff --git a/modules/pam_env/pam_env.conf.5.xml b/modules/pam_env/pam_env.conf.5.xml
index 45950b8c..4040275a 100644
--- a/modules/pam_env/pam_env.conf.5.xml
+++ b/modules/pam_env/pam_env.conf.5.xml
@@ -43,14 +43,16 @@
 
     <para>
       (Possibly non-existent) environment variables may be used in values
-      using the ${string} syntax and (possibly non-existent) PAM_ITEMs may
-      be used in values using the @{string} syntax. Both the $ and @
-      characters can be backslash escaped to be used as literal values
+      using the ${string} syntax and (possibly non-existent) PAM_ITEMs as well
+      as HOME and SHELL may be used in values using the @{string} syntax. Both
+      the $ and @ characters can be backslash escaped to be used as literal values
       values can be delimited with "", escaped " not supported.
       Note that many environment variables that you would like to use
       may not be set by the time the module is called.
-      For example, HOME is used below several times, but
+      For example, ${HOME} is used below several times, but
       many PAM applications don't make it available by the time you need it.
+      The special variables @{HOME} and @{SHELL} are expanded to the values
+      for the user from his <emphasis>passwd</emphasis> entry.
     </para>
 
     <para>
@@ -92,6 +94,7 @@
       NNTPSERVER     DEFAULT=localhost
       PATH           DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
       :/usr/bin:/usr/local/bin/X11:/usr/bin/X11
+      XDG_DATA_HOME  @{HOME}/share/
     </programlisting>
 
     <para>