diff options
| author | Simon Rettberg | 2019-06-28 16:08:18 +0200 |
|---|---|---|
| committer | root | 2019-06-28 17:12:39 +0200 |
| commit | 2318dd33592a354465de4496a99b6d02ada2fa41 (patch) | |
| tree | 664a6e6ca8b11b2059f5c4538ff45286525d9afc /core/modules/pam-slx-plug | |
| parent | [pam-bwidm] Improve some checks; only generate UID if none yet (diff) | |
| download | mltk-2318dd33592a354465de4496a99b6d02ada2fa41.tar.gz mltk-2318dd33592a354465de4496a99b6d02ada2fa41.tar.xz mltk-2318dd33592a354465de4496a99b6d02ada2fa41.zip | |
[pam-slx-plug] Add auth-final-exec hook
On successful authentication, run everything
in dir /opt/openslx/pam/hooks/auth-final-exec.d
This applies no matter which authentication module
succeeded, contrary to the old pam_script_auth.d directory.
Note that the password is NOT exposed in this hook,
and it is only run if the pam stack is executing in root
context.
Diffstat (limited to 'core/modules/pam-slx-plug')
| -rwxr-xr-x | core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final | 39 | ||||
| -rwxr-xr-x | core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config | 1 |
2 files changed, 40 insertions, 0 deletions
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final new file mode 100755 index 00000000..3d12d20f --- /dev/null +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final @@ -0,0 +1,39 @@ +#!/bin/ash + +# This is executed in the pam_auth phase, after any real +# authentication module succeeded. It will execute all scripts in +# /opt/openslx/pam/hooks/auth-final-exec.d +# This is in contrast to /opt/openslx/pam/hooks/auth-slx-success.d +# which only executes if one of the pam-slx-plugins succeeded authing, +# but then offers further variables detailing the auth environment. + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +# Remove password from stdin +cat &> /dev/null & +waitpid=$! + +# Only as root +[ "$(whoami)" != "root" ] && exit 0 + +source_dir=/opt/openslx/pam/hooks/auth-final-exec.d +readonly source_dir + +[ -d "$source_dir" ] || exit 0 + +for file in $source_dir/*; do + [ -e "$file" ] || continue # Dir empty, will be the unglobbed string + if ! [ -f "$file" ]; then + slxlog "pam-auth-final" "$file is not a file, ignoring" + continue + fi + if ! [ -x "$file" ]; then + slxlog "pam-auth-final" "$file is not executable!" + continue + fi + "$file" || slxlog "pam-auth-final" "$file didn't exit with code 0" +done + +kill "$waitpid" + +exit 0 diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config index 7de43b7e..a4daa837 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config @@ -135,6 +135,7 @@ if grep -q '<slx-autogen>' "/etc/pam.d/common-auth"; then cat >> "$tmpfile" <<-HERE auth optional pam_faildelay.so delay=2123123 auth requisite pam_deny.so + auth optional pam_exec.so quiet /opt/openslx/pam/exec_auth_final auth required pam_permit.so auth optional pam_cap.so HERE |