login.conf changes silently ignored

20-100

I want to define global environment variables and whatever I put in /etc/profile and /etc/shrc is ignored, so I tried to do it in /etc/login.conf.

The default one contains only comments, so I defined:

default:\ :path=/opt/bin /usr/pkg/bin ...etc... /bin:\ :setenv=MYVAR=itsvaalue:

I made sure the file ends with an empty line and ran cap_mkdb /etc/login.conf, but my changes were ignored.
I tried to execute /usr/sbin/usermod -L default myuser, but no luck.
I then tried to change the 'default' class name to 'users' and ran /usr/sbin/usermod -L users myuser, still without success.
Of course, as it didn't work by logging out and in again, I've also tried to reboot, with the same result.

Is it a bug or is there another way under NetBSD to define system-wide environment variables?

rvp

20-100 I can confirm that unless overridden elsewhere, both PATH and env. vars set in /etc/login.conf stick. No changes other than editing /etc/login.conf is needed. No need to run cap_mkdb either; nor even usermod to add a class (either default or users).

Your PATH and env. vars are being overridden somewhere.
You could also make these kind of changes to the files in /etc/skel/.*--which gets copied over when new accounts are created.

20-100

I've deleted /root/.profile (+ .shrc and other files copied from /etc/skel), same for my non-root user.
I've then checked and cleaned /etc/profile et al.
I've checked /etc/rc.conf, /etc/default/rc.conf, plus all files in /etc/rc.d and /usr/pkg/etc.
I've even checked sysctl -A.
Same result: my PATH is set to /bin:/usr/bin:/usr/pkg/bin:/usr/local/bin:/usr/X11R7/bin, full stop.

rvp

20-100 Same result: my PATH is set to /bin:/usr/bin:/usr/pkg/bin:/usr/local/bin:/usr/X11R7/bin, full stop.

Hmm. That last component, /usr/X11R7/bin, is interesting. It's not usually included in PATH. Any extra PAM modules in your installaion, like pam_env.so in Linux, which read files like /etc/environment?

Time for some tracing. ~~Since NetBSD's dtrace does not support string or * pointer dereferences,~~ (Not needed--see post below for a dtrace(1) script) we'll go with ktrace to trace PATH changes across login and its descendants :

Copy this script to /root/login.sh; make it executable: chmod 755 /root/login.sh:

#!/bin/sh

ktrace -a -d -f /tmp/ktrace.out -i -tav -- /usr/bin/login "$@"

Backup /etc/gettytab and modify it as shown to call /root/login.sh

--- /etc/gettytab.orig  2020-09-23 08:48:07.000000000 +0000
+++ /etc/gettytab       2020-09-30 22:03:38.191516047 +0000
@@ -10,7 +10,7 @@
 # entries, and in cases where getty is called with no table name
 #
 default:\
-       :ce:ck:np:im=\r\n%s/%m (%h) (%t)\r\n\r\n:
+       :ce:ck:np:im=\r\n%s/%m (%h) (%t)\r\n\r\n:lo=/root/login.sh:
 
 #
 # Fixed speed entries

Reboot, then track PATH changes as follows:

kdump -f /tmp/ktrace.out | fgrep '"PATH='

Find out who's setting that default PATH.

20-100

I have nothing in /etc/pam.d.
However, I have tried your suggestion and login.sh wasn't called.
It was so weird that I suspected XDM... Bingo!
It is however very annoying that the login process is entirely different when using a display manager.
/etc/profile and ~/.profile don't even get called!

rvp

20-100 Ah! you didn't tell me your were logging in via XDM--which bypasses getty entirely (in fact, it replaces it and login, too).

Looks like you'll have to modify ~/.xsession.
Or, write a pam_env.so to read a file like /etc/environment. Easy enought to write one.

rvp

If, in future, you ever want to track environment variable changes like this, (and without running ktrace(1) which requires you to select some process), you use the script below which uses dtrace(1). The script output is not as clean as the kdump(1) one, but, DTrace lets you scan all processes on the system.

Warning: I don't expect the method I've used--which involves trawling through the kernel's proc structure--to work on anything other than NetBSD. I have another, generic, version which works on FreeBSD (and should also on other OSes with DTrace), but, as explained in the script, that version doesn't work on PIE/PIC executables on NetBSD.

Enjoy.

#!/bin/sh
#
# env-trace.sh - Show environment variables of (new) programs using dtrace(1).
# Warning: this script is weird: it contains 3 languages: shell, awk & dtrace.
# Modify at your own peril.

set -eu

me=${0##*/}
PAT=""

usage()
{
	printf '%s: Show enviroment variables of (new) programs using DTrace.\n' $me
	printf 'Usage: %s [-h] -p STR\n' $me
	printf '
    -h      This help message.
    -p STR  The string to search for in environment. Eg. "PATH="
            Use "=" to show all environment vars.
'
}

while getopts hp: opts
do	case $opts in
	h)	usage
		exit 0
		;;
	p)	PAT="$OPTARG"
		;;
	\?)	usage 1>&2
		exit 1
		;;
	esac
done
shift $((OPTIND - 1))

if [ -z "$PAT" ]
then	printf 1>&2 '%s: ERROR: empty search string\n' $me
	printf 1>&2 'Try "-h" for help.\n'
	exit 1
fi

# Do NOT remove "exec"--it is required for proper functioning.
#
exec sed -n -e '/^\/\* ___DTRACE_CODE_START___ \*\/$/,/^\/\* ___DTRACE_CODE_END___\*\/$/p' $0 |
sudo dtrace -q -s /dev/stdin |
awk -v PAT=$PAT '

#
# Hex string -> ASCII char
# Adapted from the Gawk Manual at https://gnu.org/software/gawk/
#
function xtochr(str,	c, i, k, n, ret)
{
	n = length(str)
	ret = 0
	for (i = 1; i <= n; i++) {
		c = substr(str, i, 1)
		c = tolower(c)
		# index() returns 0 if c not in string,
		# includes c == "0"
		k = index("123456789abcdef", c)

		ret = ret * 16 + k
	}
	return ret
}

BEGIN {
	str = ""
}
{
	if ($0 == "             0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  0123456789abcdef") {
		next		# skip tracemem() header
	}
	if ($0 !~ /^[[:blank:]]+[[:xdigit:]]+: ([[:xdigit:]]{2} ){1,16}[[:blank:]]+(.){1,16}$/) {
		print		# pass-through everything else
		next
	}
	# Convert hex dump back into ASCII and search
	# for the string we want.
	#
	for (i = 2; i <= NF; i++) {
		if (i == 18)	# skip ASCII component entirely
			break;
		c = xtochr($i)
		if (c == 0) {	# end-of-string marker
			if (index(str, PAT) > 0)
				printf("%s\n", str)
			str = ""
		}
		str = str sprintf("%c", c)
	}
}
'

/* ___DTRACE_CODE_START___ */
/*
 * On NetBSD, the standard "syscall::execve:{entry,return}" probe stuff
 * glitches occasionally when copying stuff from userspace for standard
 * executables, and fails completely for position-independent executables.
 * So, we the "proc" provider which is _highly_ kernel specific.
 */ 
proc:::create
/pid != $pid/
{
	printf("%d %d %s", uid, pid, execname);

	/* Copy `struct ps_strings' from userspace. */
	pss = (struct ps_strings *)copyin(args[0]->p_psstrp, sizeof (struct ps_strings));

	/* Copy env. ptr. array from userspace. */
	envc = pss->ps_nenvstr;		/* no. of env. strings */
	printf(" envc=%d", envc);
	envp = (uintptr_t)pss->ps_envstr;
	addrs = (uintptr_t *)copyin(envp, envc * sizeof (uintptr_t));

	/* Copy env. string array from userspace. */
	first = addrs[0];		/* addr. of first env. string */
	last = addrs[envc - 1];		/* addr. of last env. string */
	s = copyinstr(last);		/* copy last env. string from US */
	n = strlen(s) + 1;		/* must include '\0' at end */
	len = (last - first) + n;	/* actual size of env. strings */
	printf(" len=%d", len);
	buf = copyin(first, len);

	/*
	 * stringof(copyin(buf, len)); followed by printf("%S\n");
	 * prints the whole buffer safely when the buffer is the one
	 * associated with read(2) and write(2), but, stringof()
	 * truncates at the first '\0' in our case, so we dump
	 * the buffer using tracemem() and munge it back into
	 * ASCII using awk(1).
	 */
	tracemem(buf, 5000, len);
	printf("\n");
}

proc:::exec-success
/pid != $pid/
{
	printf("%d %d executed=%s\n\n", uid, pid, execname);
}

proc:::exit
/pid != $pid/
{
}
/* ___DTRACE_CODE_END___ */

20-100

Thanks a lot! 🙂