How to set system-wide environment variables on OS X Mavericks

The correct file, prior to Mavericks, was ~/.MacOSX/environment.plist. This is no longer supported.

In Darwin, and therefore in Mac OS X, the proper place to set these is in /etc/launchd.conf to apply to all processes; if relating to user shells specifically, use the appropriate shell files instead, depending on the shell in question. See the launchd.conf and launchctl man pages for more.

That said...

If you're goal is specifically to see these applied for ssh sessions then you need to be aware that ssh, for security reasons, doesn't apply environment variables in this manner. In fact a ssh session normally receives a much more restrictive set of environment variables from the OS as it's not what is known as a "login" or "interactive" shell, it's classified as an "non-interactive" shell. (See man bash for more on shell types.) The way ssh handles environment variables is well covered in the ssh/sshd docs and man pages.

For ssh -- which is it's own shell, akin to bash -- environment variables for the session are stored in ~/.ssh/environment as the per-user equivalent of setting these for bash or csh, etc in their relevant launch files. This is probably where you want to set your ENV variables for your user ssh sessions, though you don't detail why you're looking to assign ENVs globally in your original post, which would have been helpful in providing a solution. I'd suggest you set them explicitly on a user per user basis to maintain proper security based on each respective account following the least restrictive privilege/attribute best practice.

If for some reason you wish to ignore he security implications of this, then set PermitUserEnvironment in your ssh configs. Note that this is disabled if UseLogin is enabled. IMPORTANT: Realize that this means that user accounts set to use /bin/false as their shell - the typical method for disabling a user account - can now potentially get around this restriction and could now become active, which is dangerous. Many accounts are set to use /bin/false as their shell as a security expectation.

Bottom line is you shouldn't be doing this globally and expecting ssh to propagate ENV for security reasons. Your question is, effectively, purposely asking how to defeat several mechanisms that exist for security reasons.


If you are using bash, then setting the environment variables in /etc/profile will apply for all users.

From the bash manual on OS X Mavericks, with my emphasis (this has not changed from previous versions):

When bash is invoked as an interactive login shell, or as a non-interactive shell with the --login option, it first reads and executes commands from the file /etc/profile, if that file exists. After reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable.
...
If bash is invoked with the name sh, it tries to mimic the startup behavior of historical versions of sh as closely as possible, while conforming to the POSIX standard as well. When invoked as an inter-active interactive active login shell, or a non-interactive shell with the --login option, it first attempts to read and execute commands from /etc/profile and ~/.profile, in that order.


What you (and anyone else finding this question) are almost certainly looking for is the following path:

/private/etc/paths

You can always put your edits into the /private/etc/paths.d if you want to avoid changing the main system default "paths" configuration document, but then they will be appended to the end of your $PATH variable, so if you want to add directories at the front of $PATH (to override default system utilities, for example), you'll just have to edit the main /private/etc/paths file itself and add those to the top of the list. For example, I do this for a folder in which I store a handful of scripts I made myself, along with a few key utilities, such as mozjpeg, that I want the system to always use instead of the defaults it comes with (that way all the jpeg files saved by pretty much any program get automatically compressed by up to 10 % more than the regular system cjpeg utility would compress them - I've read that the reason it isn't default on most systems is because it's much slower, but when you're talking something like 0.14 seconds as opposed to 0.02 seconds, the "slower by a factor of 7" doesn't really mean much of anything... assuming this is not a server, of course). I know plenty of people will probably warn about the potential "danger" of making edits this deeply in the system, but I'd say that if you're looking for an answer like this, you probably know enough to deal with any utility naming conflicts that may potentially arise in the future, and simply making your changes in /private/etc/paths really does propagate them to all users/logins/instances possible - all programs, shells, etc will use the paths in that file to build the base of their $PATH variable.

To be honest, I'm quite surprised no one else here mentioned this yet. All that messing around with launchd and distractions about SSH-specific uses... this is the solution anyone searching for this basic issue is really looking for - the clean, straight-to-the-source, always-working solution.

By the way, in case you're wondering, on OS X /etc is simply a symlink to /private/etc, so you could just as easily do sudo nano /etc/paths and get to the same exact place. The above path is just the complete actual path of the file.