Monday, June 4, 2012

On Linux, how do I set the PATH for non-interactive, non-login shells? e.g. for the case of rksh?

Non-interactive, non-login, shells inherit the PATH from the ssh process, so we must set the PATH with ssh. Some shells, like Korn Shell (ksh, rksh, pksh), only parse user environment files in login shells, so there's no way to change the inherited environment in non-interactive, non-login shells.
  • To set the path globally, build a custom ssh with the needed default path.
  • To set the path for a particular user, first configure ssh to use custom environments by enabling "PermitUserEnvironment" in /etc/ssh/sshd_config: PermitUserEnvironment yes
  • Restart sshd
  • Then set the path in that user's authorized_keys file or using ~/.ssh/environment.
  • Note that you need to set all of the important shell variables. The existence of ~/.ssh/environment seems to preclude the setting of default environmental variable values.
  • So, for example, given a location for binaries for rksh (restricted korn shell), /usr/restricted/bin, place the following in ~/.ssh/environment:
HOME=/home/username
LOGNAME=username
MAIL=/var/mail/username
PATH=/usr/restricted/bin
PWD=/home/username
SHELL=/bin/rksh
SHLVL=1
USER=username
 

  • Note: replace username with the login of the user. Then, optionally, lock down write access to ~/.ssh/environment:
    • Set the classical permissions:
      • chown root:root /home/username/.ssh/environment
      • chmod 644 /home/username/.ssh/environment
    • Or, place file in an restricted SE Linux context and then configure an SE Linux ACL restricting access.
    • Or, set a Posix ACL on the file to limit access.