diff options
author | Simon Rettberg | 2018-03-10 15:10:06 +0100 |
---|---|---|
committer | Simon Rettberg | 2018-03-10 15:10:06 +0100 |
commit | d90bf98f508957b4c996139e078e963febd163bb (patch) | |
tree | fb5bad4ef149ece78364fa89df97bc23602b0b98 | |
parent | [pam-slx-plug] Implement session open/close handling (diff) | |
download | mltk-d90bf98f508957b4c996139e078e963febd163bb.tar.gz mltk-d90bf98f508957b4c996139e078e963febd163bb.tar.xz mltk-d90bf98f508957b4c996139e078e963febd163bb.zip |
[pam/runvirt/..] Move .account and .home into .openslx subdirectory
Create separate tmpfs for .openslx to make sure the user cannot rename,
edit or remove the files. It's a subdir of $HOME which has 0700, so
no other user will be able to read it.
4 files changed, 19 insertions, 17 deletions
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth index dbc6cb5d..16b1af5a 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth @@ -121,16 +121,17 @@ if ! awk '{print $2}' /proc/mounts | grep -Fxq -- "${TEMP_HOME_DIR}"; then if ! mkdir -p "${TEMP_HOME_DIR}"; then slxlog --echo "pam-global-mktemphome" "Could not create '${TEMP_HOME_DIR}'." fi - if ! mount -t tmpfs -o mode=700,size=1024m tmpfs "${TEMP_HOME_DIR}"; then + if ! mount -t tmpfs -o "uid=${USER_UID},gid=${USER_GID},mode=0700,size=1024m" tmpfs "${TEMP_HOME_DIR}"; then slxlog --echo "pam-global-tmpfstemphome" "Could not make a tmpfs on '${TEMP_HOME_DIR}'" fi - if ! chown "${USER_UID}:${USER_GID}" "${TEMP_HOME_DIR}"; then - slxlog --echo "pam-global-chpersistent" "Could not chown '${TEMP_HOME_DIR}' to '${PAM_USER}'." - fi + # mount another tmpfs into subdir so we can create files that the user cannot modify + # but still read, while at the same time preventing any other user from reading it + mkdir -p "${TEMP_HOME_DIR}/.openslx" + mount -t tmpfs -o size=1m,uid=0,gid=0,mode=0755 tmpfs "${TEMP_HOME_DIR}/.openslx" fi if [ -n "${REAL_ACCOUNT}" ]; then - echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.account" - chmod 0644 "${TEMP_HOME_DIR}/.account" + echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.openslx/account" + chmod 0644 "${TEMP_HOME_DIR}/.openslx/account" fi diff --git a/core/modules/pam/data/opt/openslx/scripts/pam_script_auth b/core/modules/pam/data/opt/openslx/scripts/pam_script_auth index 24edf4cc..60604874 100755 --- a/core/modules/pam/data/opt/openslx/scripts/pam_script_auth +++ b/core/modules/pam/data/opt/openslx/scripts/pam_script_auth @@ -51,13 +51,14 @@ if ! mount | grep -q -F " ${TEMP_HOME_DIR} "; then exit 1 fi # now make it a tmpfs - if ! mount -t tmpfs -o mode=700,size=1024m tmpfs "${TEMP_HOME_DIR}"; then + if ! mount -t tmpfs -o "uid=${USER_UID},gid=${USER_GID},mode=0700,size=1024m" tmpfs "${TEMP_HOME_DIR}"; then slxlog "pam-global-tmpfstemphome" "Could not make a tmpfs on ${TEMP_HOME_DIR}" exit 1 fi - if ! chown "${USER_UID}:${USER_GID}" "${TEMP_HOME_DIR}"; then - slxlog "pam-global-chpersistent" "Could not chown '${TEMP_HOME_DIR}' to '${PAM_USER}'." - fi + # mount another tmpfs into subdir so we can create files that the user cannot modify + # but still read, while at the same time preventing any other user from reading it + mkdir -p "${TEMP_HOME_DIR}/.openslx" + mount -t tmpfs -o size=1m,uid=0,gid=0,mode=0755 tmpfs "${TEMP_HOME_DIR}/.openslx" fi ############################################################################### @@ -83,8 +84,8 @@ if [ -e "${PERSISTENT_MOUNT_SCRIPT}" ] && ! mount | grep -q -F " ${PERSISTENT_HO . "${PERSISTENT_MOUNT_SCRIPT}" \ || slxlog "pam-global-sourcepersistent" "Could not source '${PERSISTENT_MOUNT_SCRIPT}'." if [ -n "${REAL_ACCOUNT}" ]; then - echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.account" - chmod 0644 "${TEMP_HOME_DIR}/.account" + echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.openslx/account" + chmod 0644 "${TEMP_HOME_DIR}/.openslx/account" fi fi fi # end "mount-home-script-exists" diff --git a/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials b/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials index 211f780e..c1761d2d 100644 --- a/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials +++ b/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials @@ -9,8 +9,8 @@ if [ -n "$TEMP_HOME_DIR" ]; then fi if [ -n "$PERSISTENT_NETPATH" ]; then [ "x${PERSISTENT_NETPATH:0:2}" = "x//" ] && PERSISTENT_NETPATH=$(echo "$PERSISTENT_NETPATH" | tr '/' '\') - echo "${PERSISTENT_NETPATH}" > "${TEMP_HOME_DIR}/.home" - chmod 0644 "${TEMP_HOME_DIR}/.home" + echo "${PERSISTENT_NETPATH}" > "${TEMP_HOME_DIR}/.openslx/home" + chmod 0644 "${TEMP_HOME_DIR}/.openslx/home" fi # pwdaemon diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_virtual_floppy.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_virtual_floppy.inc index 42740059..605668c9 100644 --- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_virtual_floppy.inc +++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_virtual_floppy.inc @@ -66,8 +66,8 @@ setup_virtual_floppy() { slxlog "virt-pwdaemon" "Could not start pwdaemon" else sed -i 's/^/192.168.101.1\t/' "${SHARES}" # TODO: Depending on nettype (in case we have != nat some day) - if [ "${SHARE_REMAP_MODE}" = 1 -o "${SHARE_REMAP_MODE}" = 2 ] && [ -e "${TMPHOME}/.home" ]; then - NETHOME=$(cat "${TMPHOME}/.home") + if [ "${SHARE_REMAP_MODE}" = 1 -o "${SHARE_REMAP_MODE}" = 2 ] && [ -e "${TMPHOME}/.openslx/home" ]; then + NETHOME=$(cat "${TMPHOME}/.openslx/home") notempty SHARE_HOME_DRIVE || local SHARE_HOME_DRIVE="H:" # Tab between items, so spaces can be used! echo "${NETHOME} ${SHARE_HOME_DRIVE} Home-Verzeichnis" >> "${SHARES}" @@ -107,7 +107,7 @@ setup_virtual_floppy() { # Write info file local UNAME= - [ -s "${HOME}/.account" ] && UNAME=$(cat "${HOME}/.account") + [ -s "${HOME}/.openslx/account" ] && UNAME=$(cat "${HOME}/.openslx/account") notempty UNAME || UNAME=$(whoami) cat > "${TMPDIR}/openslx.ini" <<-EOF [openslx] |