diff options
author | Simon Rettberg | 2018-12-04 13:20:56 +0100 |
---|---|---|
committer | Simon Rettberg | 2018-12-04 13:20:56 +0100 |
commit | 12abcf349af03264d1e038064976e5c34579391a (patch) | |
tree | 051ee6c04d419657436984f09b2a5cb7a7886ea1 /core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth | |
parent | [beamergui] Respawn beamergui if closed (diff) | |
download | mltk-12abcf349af03264d1e038064976e5c34579391a.tar.gz mltk-12abcf349af03264d1e038064976e5c34579391a.tar.xz mltk-12abcf349af03264d1e038064976e5c34579391a.zip |
[pam-slx-plug] Use caps from LDAP; allow running auth as user
Allow running exec_auth if the checked user is the user the script is
running as.
When writing user to /etc/passwd, use the spelling as supplied from the
LDAP server.
Diffstat (limited to 'core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth')
-rwxr-xr-x | core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth index 6f1dc0ae..99d5afa8 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth @@ -8,7 +8,7 @@ readonly USER_PASSWORD [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 USER_NAME="$PAM_USER" -readonly PAM_USER USER_NAME +readonly PAM_USER # Needed as pam_script clears PATH export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" @@ -20,10 +20,17 @@ if echo "$PAM_USER" | grep -Fq ':'; then fi # check if the script runs as root -[ "x$(whoami)" = "xroot" ] || exit 1 +SCRIPT_USER=$(whoami) +readonly SCRIPT_USER +[ "x$SCRIPT_USER" = "xroot" ] || [ "x$SCRIPT_USER" = "x$PAM_USER" ] || exit 1 -# See if we have a shadow entry - skip user in that case -grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1 +if [ "$PAM_USER" = "root" ]; then + # See if we have a shadow entry - skip user in that case + grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1 +else + # Running in user context - user must be known from before + grep -q "^${PAM_USER}:x:.*:.*:${PAM_USER}@SLX:" "/etc/passwd" || exit 1 +fi # ppam -- pluggable pluggable authentication module # Source all scripts in the auth-source.d directory @@ -101,7 +108,7 @@ if [ -n "$GROUPENT" ]; then echo "$GROUPENT" >> '/etc/group' fi fi -readonly USER_GID USER_GROUP +readonly USER_GID USER_GROUP USER_NAME . /opt/openslx/pam/common/homedir-passwd |