Merge branch 'master' of git.openslx.org:openslx-ng/mltk

7 files changed, 101 insertions, 18 deletions

diff --git a/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh b/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh
index e17bbbc7..5f4e2bfa 100755
--- a/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh
+++ b/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh
@@ -2,4 +2,11 @@
 
 [ "$EVENT" = "clicked" ] || exit 0
 
-exec beamergui -w
+if ps u | grep -v grep | grep -q 'beamergui -b'; then
+	exec beamergui -w
+fi
+
+(
+	beamergui -b -g &
+) &
+
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
index 3e20d8ed..ee2155a5 100644
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap
@@ -48,7 +48,7 @@ extract_field() {
 }
 
 run_auth() {
-	local BINDDN SEARCH_ANON SEARCH_USER PW RET
+	local BINDDN SEARCH_ANON SEARCH_USER PW RET uid
 	if [ -n "$LDAP_CACERT" ]; then
 		export LDAPTLS_CACERT="$LDAP_CACERT"
 	else
@@ -83,16 +83,24 @@ run_auth() {
 	[ -z "$BINDDN" ] && BINDDN=$(extract_field "distinguishedName" "$SEARCH_ANON")
 	[ -z "$BINDDN" ] && return 1
 	# User exists
+	# Get proper capitalization
+	RET=$(extract_field "uid" "$SEARCH_ANON")
+	[ -n "$RET" ] && USER_NAME="$RET"
+	uid=$(extract_field "uidNumber" "$SEARCH_ANON")
 	if [ "$PAM_TYPE" = "account" ]; then
 		# 'account' checks just if the user is allowed to log in, bail out
-		USER_UID=$(extract_field "uidNumber" "$SEARCH_ANON")
+		USER_UID=$uid
 		USER_GID=$(extract_field "gidNumber" "$SEARCH_ANON")
 		USER_HOME=$(extract_field "homeDirectory" "$SEARCH_ANON")
 		return 0
 	fi
 	SEARCH_USER=$(mktemp)
 	TEMPFILES_LDAP="$TEMPFILES_LDAP $SEARCH_USER"
-	PW="/run/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
+	if [ -z "$SCRIPT_USER" ] || [ "$SCRIPT_USER" = "root" ]; then
+		PW="/run/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
+	else
+		PW="/run/user/${uid}/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$"
+	fi
 	for retries in 0 1 1 0; do
 		if ! mkfifo -m 0600 "${PW}"; then
 			slxlog "pam-slxldap-fifo" "Could not create FIFO at ${PW}"
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd
index 006f1c81..53ed1a5b 100644
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd
@@ -19,9 +19,10 @@ fi
 readonly USER_HOME
 
 # Add/replace passwd entry if it doesn't exist yet
-LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}:${USER_HOME}:/bin/bash"
+LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}@SLX:${USER_HOME}:/bin/bash"
 readonly LINE_PASS
 if ! grep -Fxq -- "${LINE_PASS}" /etc/passwd; then
-	sed -i "/^${USER_NAME}:/d" /etc/passwd
+	# Make sure there's no existing line with same uid or uidNumber
+	sed -i -r "/^${USER_NAME}:/d;/^[^:]*:x:${USER_UID}:/d" /etc/passwd
 	echo "${LINE_PASS}" >> /etc/passwd
 fi
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account
index f481d302..a94ac428 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account
@@ -3,7 +3,7 @@
 [ "$PAM_TYPE" = "account" ] || exit 1
 
 USER_NAME="$PAM_USER"
-readonly PAM_USER USER_NAME
+readonly PAM_USER
 
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
 
@@ -14,11 +14,13 @@ if echo "$PAM_USER" | grep -Fq ':'; then
 fi
 
 # check if the script runs as root
-[ "x$(whoami)" = "xroot" ] || exit 1
+SCRIPT_USER=$(whoami)
+readonly SCRIPT_USER
 
 # passwd but no shadow hints at a user we added - allow
-grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1
-grep -q "^${PAM_USER}:" "/etc/passwd" && exit 0
+grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' )
+[ "x$SCRIPT_USER" = "xroot" ] && grep -q "^${grepname}:" "/etc/shadow" && exit 1
+grep -q "^${grepname}:x:.*:.*:${grepname}@SLX:" "/etc/passwd" && exit 0
 
 # Have neither, run hooks
 for auth_file in /opt/openslx/pam/auth-source.d/*; do
@@ -29,7 +31,7 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do
 	[ -n "$USER_UID" ] || continue
 	break
 done
-readonly USER_UID USER_GID
+readonly USER_UID USER_GID USER_NAME
 
 [ -n "$USER_UID" ] || exit 1
 # Got ok from hook - cache in passwd if we got a USER_GID
@@ -44,7 +46,9 @@ if [ -n "$USER_GID" ] && ! echo "$USER_GID" | grep -Exq '[0-9]+'; then
 	exit 0
 fi
 
-. /opt/openslx/pam/common/homedir-passwd
+if [ "x$SCRIPT_USER" = "xroot" ]; then
+	. /opt/openslx/pam/common/homedir-passwd
+fi
 
 exit 0
 
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
index 6f1dc0ae..6bbe8bdc 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth
@@ -8,7 +8,7 @@ readonly USER_PASSWORD
 [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1
 
 USER_NAME="$PAM_USER"
-readonly PAM_USER USER_NAME
+readonly PAM_USER
 
 # Needed as pam_script clears PATH
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
@@ -20,10 +20,19 @@ if echo "$PAM_USER" | grep -Fq ':'; then
 fi
 
 # check if the script runs as root
-[ "x$(whoami)" = "xroot" ] || exit 1
+SCRIPT_USER=$(whoami)
+readonly SCRIPT_USER
+[ "x$SCRIPT_USER" = "xroot" ] || [ "x$SCRIPT_USER" = "x$PAM_USER" ] || exit 1
 
-# See if we have a shadow entry - skip user in that case
-grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1
+grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' )
+
+if [ "$SCRIPT_USER" = "root" ]; then
+	# See if we have a shadow entry - skip user in that case
+	grep -q -i "^${grepname}:" "/etc/shadow" && exit 1
+else
+	# Running in user context - user must be known from before
+	grep -q "^${grepname}:x:.*:.*:${grepname}@SLX:" "/etc/passwd" || exit 1
+fi
 
 # ppam -- pluggable pluggable authentication module
 # Source all scripts in the auth-source.d directory
@@ -53,7 +62,13 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do
 	break
 done
 [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="$PAM_USER"
-readonly USER_UID REAL_ACCOUNT
+readonly USER_UID REAL_ACCOUNT USER_NAME
+
+# Confirm caps matches!
+if [ "$USER_NAME" != "$PAM_USER" ]; then
+	echo "Capitalization mismatch: '$PAM_USER' vs. '$USER_NAME'" >&2
+	exit 1
+fi
 
 # No success - access denied
 [ -z "$USER_UID" ] && exit 1
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username b/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username
new file mode 100755
index 00000000..477a2f1b
--- /dev/null
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username
@@ -0,0 +1,48 @@
+#!/bin/ash
+
+PAM_USER="$1"
+
+if [ -z "$PAM_USER" ]; then
+	echo "Usage: $0 <username>" >&2
+	exit 1
+fi
+
+PAM_TYPE="account"
+USER_NAME=
+readonly PAM_USER PAM_TYPE
+
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
+
+# check for invalid char ':'
+if echo "$PAM_USER" | grep -Fq ':'; then
+	echo "Username '$PAM_USER' contains disallowed character ':'" >&2
+	exit 1
+fi
+
+grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' )
+
+existing=$( grep -i -m1 "^${grepname}:" "/etc/passwd" | awk -F: '{print $1}' )
+if [ -n "$existing" ]; then
+	echo "$existing"
+	exit 0
+fi
+
+# Have neither, run hooks
+for auth_file in /opt/openslx/pam/auth-source.d/*; do
+	USER_UID=
+	USER_GID=
+	[ -f "$auth_file" ] || continue
+	. "$auth_file"
+	[ -n "$USER_UID" ] || continue
+	break
+done
+readonly USER_UID USER_GID USER_NAME
+
+if [ -z "$USER_UID" ] || [ -z "$USER_NAME" ]; then
+	echo "User not found" >&2
+	exit 1
+fi
+
+echo "$USER_NAME"
+exit 0
+
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc
index 19e1cb43..c3a5009f 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc
@@ -32,7 +32,7 @@ set_virt_memory() {
 	fi
 
 	# Amount of memory for the VM. Be generous if diff is written to HDD
-	local min=768
+	local min=1024
 	local reserve max
 	if notempty TMPDIR_NOT_RAM; then
 		if lsmod | grep -q '^nvidia'; then