[pam-slx-plug] Use caps from LDAP; allow running auth as user

Allow running exec_auth if the checked user is the user the script is
running as.
When writing user to /etc/passwd, use the spelling as supplied from the
LDAP server.

3 files changed, 23 insertions, 8 deletions

diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
index 3e20d8ed..cab6c0a6 100644
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
@@ -83,6 +83,9 @@ run_auth() {
 	[ -z "$BINDDN" ] && BINDDN=$(extract_field "distinguishedName" "$SEARCH_ANON")
 	[ -z "$BINDDN" ] && return 1
 	# User exists
+	# Get proper capitalization
+	RET=$(extract_field "uid" "$SEARCH_ANON")
+	[ -n "$RET" ] && USER_NAME="$RET"
 	if [ "$PAM_TYPE" = "account" ]; then
 		# 'account' checks just if the user is allowed to log in, bail out
 		USER_UID=$(extract_field "uidNumber" "$SEARCH_ANON")
@@ -92,7 +95,11 @@ run_auth() {
 	fi
 	SEARCH_USER=$(mktemp)
 	TEMPFILES_LDAP="$TEMPFILES_LDAP $SEARCH_USER"
-	PW="/run/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
+	if [ -z "$SCRIPT_USER" ] || [ "$SCRIPT_USER" = "root" ]; then
+		PW="/run/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
+	else
+		PW="/run/user/${USER_UID}/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
+	fi
 	for retries in 0 1 1 0; do
 		if ! mkfifo -m 0600 "${PW}"; then
 			slxlog "pam-slxldap-fifo" "Could not create FIFO at ${PW}"
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd
index 006f1c81..53ed1a5b 100644
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd
@@ -19,9 +19,10 @@ fi
 readonly USER_HOME
 
 # Add/replace passwd entry if it doesn't exist yet
-LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}:${USER_HOME}:/bin/bash"
+LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}@SLX:${USER_HOME}:/bin/bash"
 readonly LINE_PASS
 if ! grep -Fxq -- "${LINE_PASS}" /etc/passwd; then
-	sed -i "/^${USER_NAME}:/d" /etc/passwd
+	# Make sure there's no existing line with same uid or uidNumber
+	sed -i -r "/^${USER_NAME}:/d;/^[^:]*:x:${USER_UID}:/d" /etc/passwd
 	echo "${LINE_PASS}" >> /etc/passwd
 fi
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
index 6f1dc0ae..99d5afa8 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
@@ -8,7 +8,7 @@ readonly USER_PASSWORD
 [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1
 
 USER_NAME="$PAM_USER"
-readonly PAM_USER USER_NAME
+readonly PAM_USER
 
 # Needed as pam_script clears PATH
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
@@ -20,10 +20,17 @@ if echo "$PAM_USER" | grep -Fq ':'; then
 fi
 
 # check if the script runs as root
-[ "x$(whoami)" = "xroot" ] || exit 1
+SCRIPT_USER=$(whoami)
+readonly SCRIPT_USER
+[ "x$SCRIPT_USER" = "xroot" ] || [ "x$SCRIPT_USER" = "x$PAM_USER" ] || exit 1
 
-# See if we have a shadow entry - skip user in that case
-grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1
+if [ "$PAM_USER" = "root" ]; then
+	# See if we have a shadow entry - skip user in that case
+	grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1
+else
+	# Running in user context - user must be known from before
+	grep -q "^${PAM_USER}:x:.*:.*:${PAM_USER}@SLX:" "/etc/passwd" || exit 1
+fi
 
 # ppam -- pluggable pluggable authentication module
 # Source all scripts in the auth-source.d directory
@@ -101,7 +108,7 @@ if [ -n "$GROUPENT" ]; then
 		echo "$GROUPENT" >> '/etc/group'
 	fi
 fi
-readonly USER_GID USER_GROUP
+readonly USER_GID USER_GROUP USER_NAME
 
 . /opt/openslx/pam/common/homedir-passwd