diff options
author | Sebastian | 2016-04-25 12:01:08 +0200 |
---|---|---|
committer | Sebastian | 2016-04-25 12:01:08 +0200 |
commit | 5acda3eaeabae9045609539303a8c12c4ce401f1 (patch) | |
tree | 7e71975f8570b05aafe2ea6ec0e242a8912387bb /core/modules/pam/data | |
parent | initial commit (diff) | |
download | mltk-5acda3eaeabae9045609539303a8c12c4ce401f1.tar.gz mltk-5acda3eaeabae9045609539303a8c12c4ce401f1.tar.xz mltk-5acda3eaeabae9045609539303a8c12c4ce401f1.zip |
merge with latest dev version
Diffstat (limited to 'core/modules/pam/data')
21 files changed, 670 insertions, 0 deletions
diff --git a/core/modules/pam/data/etc/pam-script/pam_script_auth b/core/modules/pam/data/etc/pam-script/pam_script_auth new file mode 120000 index 00000000..319fba0e --- /dev/null +++ b/core/modules/pam/data/etc/pam-script/pam_script_auth @@ -0,0 +1 @@ +/opt/openslx/scripts/pam_script_auth
\ No newline at end of file diff --git a/core/modules/pam/data/etc/pam-script/pam_script_ses_close b/core/modules/pam/data/etc/pam-script/pam_script_ses_close new file mode 120000 index 00000000..f3682056 --- /dev/null +++ b/core/modules/pam/data/etc/pam-script/pam_script_ses_close @@ -0,0 +1 @@ +/opt/openslx/scripts/pam_script_ses_close
\ No newline at end of file diff --git a/core/modules/pam/data/etc/pam-script/pam_script_ses_open b/core/modules/pam/data/etc/pam-script/pam_script_ses_open new file mode 120000 index 00000000..4f5598e5 --- /dev/null +++ b/core/modules/pam/data/etc/pam-script/pam_script_ses_open @@ -0,0 +1 @@ +/opt/openslx/scripts/pam_script_ses_open
\ No newline at end of file diff --git a/core/modules/pam/data/etc/pam.d/common-account b/core/modules/pam/data/etc/pam.d/common-account new file mode 100644 index 00000000..4c464871 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/core/modules/pam/data/etc/pam.d/common-auth b/core/modules/pam/data/etc/pam.d/common-auth new file mode 100644 index 00000000..752b810d --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/common-auth @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/core/modules/pam/data/etc/pam.d/common-password b/core/modules/pam/data/etc/pam.d/common-password new file mode 100644 index 00000000..cb8c7b71 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/common-password @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/core/modules/pam/data/etc/pam.d/common-session b/core/modules/pam/data/etc/pam.d/common-session new file mode 100644 index 00000000..1a3ca2d1 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/common-session @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_systemd.so +session optional pam_env.so readenv=1 +session optional pam_env.so readenv=1 envfile=/etc/default/locale +session optional pam_mkhomedir.so skel=/etc/skel umask=0022 +# end of pam-auth-update config diff --git a/core/modules/pam/data/etc/pam.d/common-session-noninteractive b/core/modules/pam/data/etc/pam.d/common-session-noninteractive new file mode 100644 index 00000000..5e0fe3f8 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/common-session-noninteractive @@ -0,0 +1,31 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session [success=1 default=ignore] pam_succeed_if.so service in sudo quiet use_uid +session required pam_unix.so +# end of pam-auth-update config diff --git a/core/modules/pam/data/etc/pam.d/kdm b/core/modules/pam/data/etc/pam.d/kdm new file mode 100644 index 00000000..e6a4ec9b --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/kdm @@ -0,0 +1,10 @@ +# +# /etc/pam.d/kdm - specify the PAM behaviour of kdm +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +auth include common-auth +account include common-account +password include common-password +session include common-session diff --git a/core/modules/pam/data/etc/pam.d/kdm-np b/core/modules/pam/data/etc/pam.d/kdm-np new file mode 100644 index 00000000..dc10e5b5 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/kdm-np @@ -0,0 +1,11 @@ +# +# /etc/pam.d/kdm-np - specify the PAM behaviour of kdm for passwordless logins +# +auth required pam_nologin.so +auth required pam_env.so readenv=1 +auth required pam_env.so readenv=1 envfile=/etc/default/locale +session required pam_limits.so +account include common-account +password include common-password +session include common-session +auth required pam_permit.so diff --git a/core/modules/pam/data/etc/pam.d/login b/core/modules/pam/data/etc/pam.d/login new file mode 100644 index 00000000..1065f351 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/login @@ -0,0 +1,101 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +# OpenSLX: Not Needed? +#session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# TODO do we need this? +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +#auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# TODO do we need this? +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +#session required pam_limits.so + +# TODO check if this is needed +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Standard Un*x account and session +account include common-account +session include common-session +password include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/core/modules/pam/data/etc/pam.d/other b/core/modules/pam/data/etc/pam.d/other new file mode 100644 index 00000000..840eb77f --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/other @@ -0,0 +1,10 @@ +#%PAM-1.0 +auth required pam_warn.so +auth required pam_deny.so +account required pam_warn.so +account required pam_deny.so +password required pam_warn.so +password required pam_deny.so +session required pam_warn.so +session required pam_deny.so + diff --git a/core/modules/pam/data/etc/pam.d/passwd b/core/modules/pam/data/etc/pam.d/passwd new file mode 100644 index 00000000..32eaa3c6 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/passwd @@ -0,0 +1,6 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +password include common-password + diff --git a/core/modules/pam/data/etc/pam.d/sshd b/core/modules/pam/data/etc/pam.d/sshd new file mode 100644 index 00000000..8954d639 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/sshd @@ -0,0 +1,41 @@ +# PAM configuration for the Secure Shell service + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +auth required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +auth required pam_env.so envfile=/etc/default/locale + +# Standard Un*x authentication. +auth include common-auth + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +account include common-account + +# Standard Un*x session setup and teardown. +session include common-session + +# Print the message of the day upon successful login. +session optional pam_motd.so # [1] + +# TODO do we need this? +# Print the status of the user's mailbox upon successful login. +#session optional pam_mail.so standard noenv # [1] + +# TODO do we need this? +# Set up user limits from /etc/security/limits.conf. +#session required pam_limits.so + +# Set up SELinux capabilities (need modified pam) +# session required pam_selinux.so multiple + +# Standard Un*x password updating. +password include common-password diff --git a/core/modules/pam/data/etc/pam.d/vmware-authd b/core/modules/pam/data/etc/pam.d/vmware-authd new file mode 100644 index 00000000..1f9b60f9 --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/vmware-authd @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session include common-session + diff --git a/core/modules/pam/data/etc/pam.d/xdm b/core/modules/pam/data/etc/pam.d/xdm new file mode 100644 index 00000000..d21651db --- /dev/null +++ b/core/modules/pam/data/etc/pam.d/xdm @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session required pam_loginuid.so +session include common-session diff --git a/core/modules/pam/data/etc/security/pam_env.conf b/core/modules/pam/data/etc/security/pam_env.conf new file mode 100644 index 00000000..d0ba35c2 --- /dev/null +++ b/core/modules/pam/data/etc/security/pam_env.conf @@ -0,0 +1,73 @@ +# +# This is the configuration file for pam_env, a PAM module to load in +# a configurable list of environment variables for a +# +# The original idea for this came from Andrew G. Morgan ... +#<quote> +# Mmm. Perhaps you might like to write a pam_env module that reads a +# default environment from a file? I can see that as REALLY +# useful... Note it would be an "auth" module that returns PAM_IGNORE +# for the auth part and sets the environment returning PAM_SUCCESS in +# the setcred function... +#</quote> +# +# What I wanted was the REMOTEHOST variable set, purely for selfish +# reasons, and AGM didn't want it added to the SimpleApps login +# program (which is where I added the patch). So, my first concern is +# that variable, from there there are numerous others that might/would +# be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER ..... +# +# Of course, these are a different kind of variable than REMOTEHOST in +# that they are things that are likely to be configured by +# administrators rather than set by logging in, how to treat them both +# in the same config file? +# +# Here is my idea: +# +# Each line starts with the variable name, there are then two possible +# options for each variable DEFAULT and OVERRIDE. +# DEFAULT allows and administrator to set the value of the +# variable to some default value, if none is supplied then the empty +# string is assumed. The OVERRIDE option tells pam_env that it should +# enter in its value (overriding the default value) if there is one +# to use. OVERRIDE is not used, "" is assumed and no override will be +# done. +# +# VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] +# +# (Possibly non-existent) environment variables may be used in values +# using the ${string} syntax and (possibly non-existent) PAM_ITEMs may +# be used in values using the @{string} syntax. Both the $ and @ +# characters can be backslash escaped to be used as literal values +# values can be delimited with "", escaped " not supported. +# Note that many environment variables that you would like to use +# may not be set by the time the module is called. +# For example, HOME is used below several times, but +# many PAM applications don't make it available by the time you need it. +# +# +# First, some special variables +# +# Set the REMOTEHOST variable for any hosts that are remote, default +# to "localhost" rather than not being set at all +#REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} +# +# Set the DISPLAY variable if it seems reasonable +#DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} +# +# +# Now some simple variables +# +#PAGER DEFAULT=less +#MANPAGER DEFAULT=less +#LESS DEFAULT="M q e h15 z23 b80" +#NNTPSERVER DEFAULT=localhost +#PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ +#:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 +# +# silly examples of escaped variables, just to show how they work. +# +#DOLLAR DEFAULT=\$ +#DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} +#DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} +#ATSIGN DEFAULT="" OVERRIDE=\@ diff --git a/core/modules/pam/data/etc/tmpfiles.d/pipefs.conf b/core/modules/pam/data/etc/tmpfiles.d/pipefs.conf new file mode 100644 index 00000000..44e0924c --- /dev/null +++ b/core/modules/pam/data/etc/tmpfiles.d/pipefs.conf @@ -0,0 +1,2 @@ +d /var/run/rpc_pipefs 0755 root root + diff --git a/core/modules/pam/data/opt/openslx/scripts/pam_script_auth b/core/modules/pam/data/opt/openslx/scripts/pam_script_auth new file mode 100755 index 00000000..0fe73cbd --- /dev/null +++ b/core/modules/pam/data/opt/openslx/scripts/pam_script_auth @@ -0,0 +1,146 @@ +#!/bin/ash + +# Needed as pam_script clears PATH +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +# check if the script runs as root +[ "x$(whoami)" != "xroot" ] && exit 0 + +PASSWD=$(getent passwd "$PAM_USER") +USER_NAME=$(echo "$PASSWD" | awk -F ':' '{print $1}') +USER_UID=$(echo "$PASSWD" | awk -F ':' '{print $3}') +USER_GID=$(echo "$PASSWD" | awk -F ':' '{print $4}') +USER_HOME=$(echo "$PASSWD" | awk -F ':' '{print $6}') +[ -n "$USER_NAME" ] && PAM_USER="$USER_NAME" +[ -z "$USER_UID" ] && USER_UID=$(id -u "$PAM_USER") +[ -z "$USER_GID" ] && USER_GID=$(id -g "$PAM_USER") +[ -z "$USER_HOME" ] && USER_HOME="/home/$PAM_USER" +if [ -z "$USER_UID" -o -z "$USER_GID" ]; then + slxlog "pam-get-ids" "Could not determine UID or GID for user '$PAM_USER'." + exit 1 +fi + +# The user's non-persistent home directory mount point, which should be their linux home +TEMP_HOME_DIR="$USER_HOME" + +# check if PAM_USER is root and skip if it is the case +[ "x${PAM_USER}" == "xroot" ] && exit 0 + +############################################################################### +# +# Preparations for volatile /home/<user> +# +# +# check if we already mounted the home directory +if ! mount | grep -q -F " ${TEMP_HOME_DIR} "; then + # no home, lets create it + if ! mkdir -p "${TEMP_HOME_DIR}"; then + slxlog "pam-global-mktemphome" "Could not create '${TEMP_HOME_DIR}'." + exit 1 + fi + # now make it a tmpfs + if ! mount -t tmpfs -o mode=700,size=1024m tmpfs "${TEMP_HOME_DIR}"; then + slxlog "pam-global-tmpfstemphome" "Could not make a tmpfs on ${TEMP_HOME_DIR}" + exit 1 + fi +fi + +############################################################################### +# +# Preparations for /home/<user>/PERSISTENT +# +# +# Script to be sourced to mount the user's persistent home +PERSISTENT_MOUNT_SCRIPT="/opt/openslx/scripts/pam_script_mount_persistent" +# Script to be run in the user's context iff the persistent home could be mounted successfully +PERSISTENT_MOUNT_USER_SCRIPT="/opt/openslx/scripts/pam_script_mount_persistent_user" +# The user's persistent home directory mount point +PERSISTENT_HOME_DIR="${TEMP_HOME_DIR}/PERSISTENT" + +# now lets see if we have a persistent directory mount script, and it's not already mounted +if [ -e "${PERSISTENT_MOUNT_SCRIPT}" ] && ! mount | grep -q -F " ${PERSISTENT_HOME_DIR} "; then + # seems we should try to mount... + # create the PERSISTENT directory and give to user + if ! mkdir -p "${PERSISTENT_HOME_DIR}"; then + slxlog "pam-global-mkpersistent" "Could not create '${PERSISTENT_HOME_DIR}'." + elif ! chown "${USER_UID}:${USER_GID}" "${TEMP_HOME_DIR}"; then + slxlog "pam-global-chpersistent" "Could not chown '${TEMP_HOME_DIR}' to '${PAM_USER}'." + else + # everything seems ok, call mount script + . "${PERSISTENT_MOUNT_SCRIPT}" \ + || slxlog "pam-global-sourcepersistent" "Could not source '${PERSISTENT_MOUNT_SCRIPT}'." + if [ -n "${REAL_ACCOUNT}" ]; then + echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.account" + chmod 0644 "${TEMP_HOME_DIR}/.account" + fi + fi +fi # end "mount-home-script-exists" + + +# Just try to delete the persistent dir. If the mount was successful, it will not work +# If it was not successful, it will be removed so the user doesn't think he can store +# anything in there +rmdir "${PERSISTENT_HOME_DIR}" 2> /dev/null + +# Write warning message to tmpfs home +if [ -d "${PERSISTENT_HOME_DIR}" ]; then + # create a WARNING.txt for the user with hint to PERSISTENT + cat > "${TEMP_HOME_DIR}/WARNING.txt" <<EOF +ATTENTION: This is the non-persistent home directory! +Files saved here will be lost on shutdown. +Your real home is under ${PERSISTENT_HOME_DIR} +Please save your files there. +EOF +else + # create a WARNING.txt for the user, no PERSISTENT :-( + cat > "${TEMP_HOME_DIR}/WARNING.txt" <<EOF +ATTENTION: This is a non-persistent home directory! +Files saved here will be lost on shutdown. +Please save your files on a USB drive or upload them +to some web service. +EOF +fi +chown "${USER_UID}" "${TEMP_HOME_DIR}/WARNING.txt" + +############################################################################### +# +# Preparations for /home/<user>/SHARE +# +# +# Script to be sourced to mount the common share folder +COMMON_SHARE_MOUNT_SCRIPT="/opt/openslx/scripts/pam_script_mount_common_share" +# User specific mount point for the common share +COMMON_SHARE_MOUNT_POINT="${TEMP_HOME_DIR}/SHARE" + +# check for common share mount script, exit if we don't have one +if [ -e "${COMMON_SHARE_MOUNT_SCRIPT}" ] && ! mount | grep -q -F " ${COMMON_SHARE_MOUNT_POINT} "; then + # create the SHARE directory + if ! mkdir -p "${COMMON_SHARE_MOUNT_POINT}"; then + slxlog "pam-global-mkshare" "Could not create '${COMMON_SHARE_MOUNT_POINT}'." + elif ! chown "${USER_UID}:${USER_GID}" "${COMMON_SHARE_MOUNT_POINT}"; then + slxlog "pam-global-chshare" "Could not chown '${COMMON_SHARE_MOUNT_POINT}' to '${PAM_USER}'." + else + COMMON_SHARE_MOUNT_POINT="${COMMON_SHARE_MOUNT_POINT}" \ + PAM_USER="${PAM_USER}" \ + PAM_AUTHTOK="${PAM_AUTHTOK}" \ + USER_UID="${USER_UID}" \ + USER_GID="${USER_GID}" \ + /bin/ash "${COMMON_SHARE_MOUNT_SCRIPT}" \ + || slxlog "pam-global-sourceshare" "Could not execute '${COMMON_SHARE_MOUNT_SCRIPT}'." + fi +fi +# Just try to delete the common share dir. If the mount was successful, it will not work +rmdir "${COMMON_SHARE_MOUNT_POINT}" 2> /dev/null + +# +# source the stuff in pam_script_auth.d, if it exists +# +if [ -d "/opt/openslx/scripts/pam_script_auth.d" ]; then + for HOOK in $(ls "/opt/openslx/scripts/pam_script_auth.d"); do + # source it, in case of failure do nothing since these scripts are non-critical + . "/opt/openslx/scripts/pam_script_auth.d/$HOOK" || slxlog "pam-source-hooks" "Could not source '$HOOK'." + done +fi + +exit 0 + diff --git a/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_close b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_close new file mode 100755 index 00000000..cd35a86b --- /dev/null +++ b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_close @@ -0,0 +1,83 @@ +#!/bin/ash + +# Needed as pam_script clears PATH +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +# can only work if script is run as root +[ "x$(whoami)" = "xroot" ] || exit 0 + +# NSA needs to know +if [ "x$PAM_SERVICE" != "xsu" -a "x$PAM_SERVICE" != "xsudo" ]; then + . /opt/openslx/config + if [ "x$SLX_REMOTE_LOG_SESSIONS" = "xyes" -o "x$PAM_USER" = "xroot" ]; then + slxlog "session-close" "$PAM_USER logged out on $PAM_TTY" + elif [ "x$SLX_REMOTE_LOG_SESSIONS" = "xanonymous" ]; then + slxlog "session-close" "User logged out on $PAM_TTY" + fi +fi + +# source hooks if there are any +if [ -d "/opt/openslx/scripts/pam_script_ses_close.d" ]; then + for HOOK in $(ls "/opt/openslx/scripts/pam_script_ses_close.d"); do + # failure is non-critical + . "/opt/openslx/scripts/pam_script_ses_close.d/$HOOK" || slxlog "pam-sesclose-hooks" "Could not source '$HOOK'." + done +fi + +# do not kill all root processes :) +[ "x${PAM_USER}" = "xroot" ] && exit 0 + +# Async block: Check if user has no session open anymore, if not +# kill any remaining processes belonging to the user and unmount +# everything at $USERHOME and below. +{ + sleep 2 # Give things some time + # Use who (utmp) to determine sessions by the user. loginctl might be nicer, but + # a simple show-user $USER will also include detached sessions (eg. screen) which + # makes this quite pointless. This needs to be investigated some day. + SESSIONCOUNT=$(who | grep "^${PAM_USER}\\b" | wc -l) + if [ "$SESSIONCOUNT" = "0" ]; then + + # last session, close all ghost user processes + pkill -u "${PAM_USER}" + + # check if user's processes are still running + for TIMEOUT in 1 1 2 FAIL; do + if ! ps -o pid,s -u "$PAM_USER" -U "$PAM_USER" | grep -q -v -E "PID|Z"; then + # nothing running anymore + break + fi + if [ "$TIMEOUT" = "FAIL" ]; then + # still something running, send SIGKILL + pkill -9 -u "${PAM_USER}" + else + # give some time + sleep "${TIMEOUT}" + fi + done + + fi + + # just to be sure we check again, since the pkilling above might have taken some time... + SESSIONCOUNT=$(who | grep "^${PAM_USER}\\b" | wc -l) + if [ "$SESSIONCOUNT" = "0" ]; then + + # unmount the home directory structure + USER_HOME=$(getent passwd "$PAM_USER" | awk -F ':' '{print $6}') + if [ -n "$USER_HOME" ]; then + for TIMEOUT in 0 0 2 2 FAIL; do + OK=yes + for dir in $(cat /proc/mounts | awk '{print $2}' | grep -e "^${USER_HOME}\$" -e "^${USER_HOME}/.*\$"); do + umount "$dir" || OK=no + done + [ "$TIMEOUT" = "FAIL" -o "$OK" = "yes" ] && break + sleep "$TIMEOUT" + done + fi + + fi + +} & + +exit 0 + diff --git a/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_open b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_open new file mode 100755 index 00000000..8ab34708 --- /dev/null +++ b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_open @@ -0,0 +1,25 @@ +#!/bin/ash + +# Needed as pam_script clears PATH +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +# NSA needs to know +if [ "x$PAM_SERVICE" != "xsu" -a "x$PAM_SERVICE" != "xsudo" ]; then + . /opt/openslx/config + if [ "x$SLX_REMOTE_LOG_SESSIONS" = "xyes" -o "x$PAM_USER" = "xroot" ]; then + slxlog "session-open" "$PAM_USER logged in on $PAM_TTY" + elif [ "x$SLX_REMOTE_LOG_SESSIONS" = "xanonymous" ]; then + slxlog "session-open" "User logged in on $PAM_TTY" + fi +fi + +# source the stuff in pam_script_ses_open.d, if it exists +if [ -d "/opt/openslx/scripts/pam_script_ses_open.d" ]; then + for HOOK in $(ls "/opt/openslx/scripts/pam_script_ses_open.d"); do + # source it, in case of failure do nothing since these scripts are non-critical + . "/opt/openslx/scripts/pam_script_ses_open.d/$HOOK" || slxlog "pam-source-hooks" "Could not source '$HOOK'." + done +fi + +exit 0 + |