diff options
author | Christian Rößler | 2018-12-04 15:49:03 +0100 |
---|---|---|
committer | Christian Rößler | 2018-12-04 15:49:03 +0100 |
commit | 840c188c43b2b7d99bd492c5840983ef56618619 (patch) | |
tree | 1f32d10e02a08117e77895bd71ec425c0be9e327 /core | |
parent | [run-virt] Linux scripts: Sound vol. to 100%, if unmuted (diff) | |
parent | [pam-slx-plug] Add get_username script to lookup caps (diff) | |
download | mltk-840c188c43b2b7d99bd492c5840983ef56618619.tar.gz mltk-840c188c43b2b7d99bd492c5840983ef56618619.tar.xz mltk-840c188c43b2b7d99bd492c5840983ef56618619.zip |
Merge branch 'master' of git.openslx.org:openslx-ng/mltk
Diffstat (limited to 'core')
7 files changed, 101 insertions, 18 deletions
diff --git a/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh b/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh index e17bbbc7..5f4e2bfa 100755 --- a/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh +++ b/core/modules/beamergui/data/opt/openslx/pvs2/showBeamergui.sh @@ -2,4 +2,11 @@ [ "$EVENT" = "clicked" ] || exit 0 -exec beamergui -w +if ps u | grep -v grep | grep -q 'beamergui -b'; then + exec beamergui -w +fi + +( + beamergui -b -g & +) & + diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap index 3e20d8ed..ee2155a5 100644 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap @@ -48,7 +48,7 @@ extract_field() { } run_auth() { - local BINDDN SEARCH_ANON SEARCH_USER PW RET + local BINDDN SEARCH_ANON SEARCH_USER PW RET uid if [ -n "$LDAP_CACERT" ]; then export LDAPTLS_CACERT="$LDAP_CACERT" else @@ -83,16 +83,24 @@ run_auth() { [ -z "$BINDDN" ] && BINDDN=$(extract_field "distinguishedName" "$SEARCH_ANON") [ -z "$BINDDN" ] && return 1 # User exists + # Get proper capitalization + RET=$(extract_field "uid" "$SEARCH_ANON") + [ -n "$RET" ] && USER_NAME="$RET" + uid=$(extract_field "uidNumber" "$SEARCH_ANON") if [ "$PAM_TYPE" = "account" ]; then # 'account' checks just if the user is allowed to log in, bail out - USER_UID=$(extract_field "uidNumber" "$SEARCH_ANON") + USER_UID=$uid USER_GID=$(extract_field "gidNumber" "$SEARCH_ANON") USER_HOME=$(extract_field "homeDirectory" "$SEARCH_ANON") return 0 fi SEARCH_USER=$(mktemp) TEMPFILES_LDAP="$TEMPFILES_LDAP $SEARCH_USER" - PW="/run/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}.$$" + if [ -z "$SCRIPT_USER" ] || [ "$SCRIPT_USER" = "root" ]; then + PW="/run/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$" + else + PW="/run/user/${uid}/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$" + fi for retries in 0 1 1 0; do if ! mkfifo -m 0600 "${PW}"; then slxlog "pam-slxldap-fifo" "Could not create FIFO at ${PW}" diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd index 006f1c81..53ed1a5b 100644 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd @@ -19,9 +19,10 @@ fi readonly USER_HOME # Add/replace passwd entry if it doesn't exist yet -LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}:${USER_HOME}:/bin/bash" +LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}@SLX:${USER_HOME}:/bin/bash" readonly LINE_PASS if ! grep -Fxq -- "${LINE_PASS}" /etc/passwd; then - sed -i "/^${USER_NAME}:/d" /etc/passwd + # Make sure there's no existing line with same uid or uidNumber + sed -i -r "/^${USER_NAME}:/d;/^[^:]*:x:${USER_UID}:/d" /etc/passwd echo "${LINE_PASS}" >> /etc/passwd fi diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account index f481d302..a94ac428 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_account @@ -3,7 +3,7 @@ [ "$PAM_TYPE" = "account" ] || exit 1 USER_NAME="$PAM_USER" -readonly PAM_USER USER_NAME +readonly PAM_USER export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" @@ -14,11 +14,13 @@ if echo "$PAM_USER" | grep -Fq ':'; then fi # check if the script runs as root -[ "x$(whoami)" = "xroot" ] || exit 1 +SCRIPT_USER=$(whoami) +readonly SCRIPT_USER # passwd but no shadow hints at a user we added - allow -grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1 -grep -q "^${PAM_USER}:" "/etc/passwd" && exit 0 +grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' ) +[ "x$SCRIPT_USER" = "xroot" ] && grep -q "^${grepname}:" "/etc/shadow" && exit 1 +grep -q "^${grepname}:x:.*:.*:${grepname}@SLX:" "/etc/passwd" && exit 0 # Have neither, run hooks for auth_file in /opt/openslx/pam/auth-source.d/*; do @@ -29,7 +31,7 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do [ -n "$USER_UID" ] || continue break done -readonly USER_UID USER_GID +readonly USER_UID USER_GID USER_NAME [ -n "$USER_UID" ] || exit 1 # Got ok from hook - cache in passwd if we got a USER_GID @@ -44,7 +46,9 @@ if [ -n "$USER_GID" ] && ! echo "$USER_GID" | grep -Exq '[0-9]+'; then exit 0 fi -. /opt/openslx/pam/common/homedir-passwd +if [ "x$SCRIPT_USER" = "xroot" ]; then + . /opt/openslx/pam/common/homedir-passwd +fi exit 0 diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth index 6f1dc0ae..6bbe8bdc 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth @@ -8,7 +8,7 @@ readonly USER_PASSWORD [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 USER_NAME="$PAM_USER" -readonly PAM_USER USER_NAME +readonly PAM_USER # Needed as pam_script clears PATH export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" @@ -20,10 +20,19 @@ if echo "$PAM_USER" | grep -Fq ':'; then fi # check if the script runs as root -[ "x$(whoami)" = "xroot" ] || exit 1 +SCRIPT_USER=$(whoami) +readonly SCRIPT_USER +[ "x$SCRIPT_USER" = "xroot" ] || [ "x$SCRIPT_USER" = "x$PAM_USER" ] || exit 1 -# See if we have a shadow entry - skip user in that case -grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1 +grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' ) + +if [ "$SCRIPT_USER" = "root" ]; then + # See if we have a shadow entry - skip user in that case + grep -q -i "^${grepname}:" "/etc/shadow" && exit 1 +else + # Running in user context - user must be known from before + grep -q "^${grepname}:x:.*:.*:${grepname}@SLX:" "/etc/passwd" || exit 1 +fi # ppam -- pluggable pluggable authentication module # Source all scripts in the auth-source.d directory @@ -53,7 +62,13 @@ for auth_file in /opt/openslx/pam/auth-source.d/*; do break done [ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="$PAM_USER" -readonly USER_UID REAL_ACCOUNT +readonly USER_UID REAL_ACCOUNT USER_NAME + +# Confirm caps matches! +if [ "$USER_NAME" != "$PAM_USER" ]; then + echo "Capitalization mismatch: '$PAM_USER' vs. '$USER_NAME'" >&2 + exit 1 +fi # No success - access denied [ -z "$USER_UID" ] && exit 1 diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username b/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username new file mode 100755 index 00000000..477a2f1b --- /dev/null +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/get_username @@ -0,0 +1,48 @@ +#!/bin/ash + +PAM_USER="$1" + +if [ -z "$PAM_USER" ]; then + echo "Usage: $0 <username>" >&2 + exit 1 +fi + +PAM_TYPE="account" +USER_NAME= +readonly PAM_USER PAM_TYPE + +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +# check for invalid char ':' +if echo "$PAM_USER" | grep -Fq ':'; then + echo "Username '$PAM_USER' contains disallowed character ':'" >&2 + exit 1 +fi + +grepname=$( echo "$PAM_USER" | sed 's/\./\\./g;s/*/\\*/g' ) + +existing=$( grep -i -m1 "^${grepname}:" "/etc/passwd" | awk -F: '{print $1}' ) +if [ -n "$existing" ]; then + echo "$existing" + exit 0 +fi + +# Have neither, run hooks +for auth_file in /opt/openslx/pam/auth-source.d/*; do + USER_UID= + USER_GID= + [ -f "$auth_file" ] || continue + . "$auth_file" + [ -n "$USER_UID" ] || continue + break +done +readonly USER_UID USER_GID USER_NAME + +if [ -z "$USER_UID" ] || [ -z "$USER_NAME" ]; then + echo "User not found" >&2 + exit 1 +fi + +echo "$USER_NAME" +exit 0 + diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc index 19e1cb43..c3a5009f 100644 --- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc +++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt-includes/set_runvirt_hardware_variables.inc @@ -32,7 +32,7 @@ set_virt_memory() { fi # Amount of memory for the VM. Be generous if diff is written to HDD - local min=768 + local min=1024 local reserve max if notempty TMPDIR_NOT_RAM; then if lsmod | grep -q '^nvidia'; then |