diff options
| author | Simon Rettberg | 2019-06-28 16:56:22 +0200 |
|---|---|---|
| committer | root | 2019-06-28 17:12:49 +0200 |
| commit | f8abc5d351b6fa2293593d394a80c83665d5729d (patch) | |
| tree | e24a9ee760e50f66cf6698eaf0a73ee104b2b93b /core/modules/run-virt/data/opt/openslx/pam | |
| parent | [pam-slx-plug] Move slx-plug specific hook directory (diff) | |
| download | mltk-f8abc5d351b6fa2293593d394a80c83665d5729d.tar.gz mltk-f8abc5d351b6fa2293593d394a80c83665d5729d.tar.xz mltk-f8abc5d351b6fa2293593d394a80c83665d5729d.zip | |
[pam-slx-plug] Move old pam_script_* hook dirs to pam dir
They're all now in subdirectories of /opt/openslx/pam/hooks.
Symlinks have been put in place where they used to reside.
Diffstat (limited to 'core/modules/run-virt/data/opt/openslx/pam')
2 files changed, 99 insertions, 0 deletions
diff --git a/core/modules/run-virt/data/opt/openslx/pam/hooks/auth-slx-source.d/99-run_virt_credentials b/core/modules/run-virt/data/opt/openslx/pam/hooks/auth-slx-source.d/99-run_virt_credentials new file mode 100644 index 00000000..613c66ca --- /dev/null +++ b/core/modules/run-virt/data/opt/openslx/pam/hooks/auth-slx-source.d/99-run_virt_credentials @@ -0,0 +1,82 @@ +#!/bin/ash +# This is being sourced and running in ash + +if [ -n "$TEMP_HOME_DIR" ]; then + if [ -z "$PAM_TTY" ] || [ "x$PAM_TTY" = "x:0" ]; then + # Pass on network path to home directory + if [ -z "$PERSISTENT_NETPATH" ]; then + PERSISTENT_NETPATH=$(grep -m1 -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | awk '{print $1}') + fi + if [ -n "$PERSISTENT_NETPATH" ]; then + [ "x${PERSISTENT_NETPATH:0:2}" = "x//" ] && PERSISTENT_NETPATH=$(echo "$PERSISTENT_NETPATH" | tr '/' '\\') + echo "${PERSISTENT_NETPATH}" > "${TEMP_HOME_DIR}/.openslx/home" + chmod 0644 "${TEMP_HOME_DIR}/.openslx/home" + fi + + # pwdaemon + + # Figure out username + XUSER="${REAL_ACCOUNT}" + [ -z "$XUSER" ] && XUSER="${PAM_USER}" + # Figure out domain + XDOMAIN= + + if [ -d "/opt/openslx/pam/slx-ldap.d" ]; then + # New pretty approach - modular with multiple auth sources + if [ -n "$SHARE_DOMAIN" ]; then + [ "x$SHARE_DOMAIN" != "x#" ] && XDOMAIN="$SHARE_DOMAIN" + else + if [ -z "$XDOMAIN" ] && [ -n "$PERSISTENT_HOME_DIR" ]; then + XDOMAIN=$(grep -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | grep -m1 -F 'domain=' | sed -r 's/^.*[ ,]domain=([^ ,]*)[ ,].*$/\1/g') + fi + if [ -z "$XDOMAIN" ] && [ -n "$USER_DN" ]; then + XDOMAIN=$(echo "$USER_DN" | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ] && [ -n "$LDAP_BASE" ]; then + XDOMAIN=$(echo "$LDAP_BASE" | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN="WORKGROUP" + fi + fi + else + # Old approach - just one global config + # Take explicitly configured domain + if [ -s "/opt/openslx/inc/shares" ]; then + . /opt/openslx/inc/shares + XDOMAIN="${SHARE_DOMAIN}" + fi + if [ "x$XDOMAIN" = "x#" ]; then + XDOMAIN= + else + # Guess domain + if [ -z "$XDOMAIN" ] && [ -n "$PERSISTENT_HOME_DIR" ]; then + XDOMAIN=$(grep -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | grep -m1 -F 'domain=' | sed -r 's/^.*[ ,]domain=([^ ,]*)[ ,].*$/\1/g') + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN="WORKGROUP" + fi + fi + fi + [ -n "$XDOMAIN" ] && XDOMAIN="$(echo "$XDOMAIN" | tr '[a-z]' '[A-Z]')\\" + USERNAME="${XDOMAIN}${XUSER}" PASSWORD="$PAM_AUTHTOK" PWSOCKET="${TEMP_HOME_DIR}/.pwsocket" pwdaemon --daemon "${USER_UID}" + unset XUSER XDOMAIN + fi +fi + +# Now copy all the share mount options over from the current ldap plugin +if [ -n "$SLX_LDAP_FILE" ] && [ -s "$SLX_LDAP_FILE" ]; then + grep '^SHARE_' "$SLX_LDAP_FILE" + if [ -n "$USER_DN" ] && [ "$(echo "$USER_DN" | wc -l)" = 1 ]; then + set | grep '^USER_DN=' + fi +fi > "${TEMP_HOME_DIR}/.openslx/shares" + +true + diff --git a/core/modules/run-virt/data/opt/openslx/pam/hooks/session-close.d/runvirt-firewall-clear b/core/modules/run-virt/data/opt/openslx/pam/hooks/session-close.d/runvirt-firewall-clear new file mode 100644 index 00000000..4fdd88ab --- /dev/null +++ b/core/modules/run-virt/data/opt/openslx/pam/hooks/session-close.d/runvirt-firewall-clear @@ -0,0 +1,17 @@ +#!/bin/ash + +# Sourced as session-close hook + +runvirt_fw_clear () { + iptables -w -F runvirt-INPUT + ip6tables -w -F runvirt-INPUT + iptables -w -F runvirt-OUTPUT + ip6tables -w -F runvirt-OUTPUT +} + +if [ "x$PAM_TTY" = "x:0" ]; then + runvirt_fw_clear > /dev/null 2>&1 +fi + +true + |