diff options
Diffstat (limited to 'core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth')
| -rwxr-xr-x | core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth | 204 |
1 files changed, 204 insertions, 0 deletions
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth new file mode 100755 index 00000000..ef964d5f --- /dev/null +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth @@ -0,0 +1,204 @@ +#!/bin/ash + +# grab the password from stdin asap +[ "$PAM_TYPE" = "auth" ] || exit 1 +unset USER_PASSWORD +read -r USER_PASSWORD > /dev/null 2>&1 +readonly USER_PASSWORD +[ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 + +USER_NAME="$PAM_USER" +readonly PAM_USER USER_NAME + +# Needed as pam_script clears PATH +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" + +# check for invalid char ':' +if echo "$PAM_USER" | grep -Fq ':'; then + slxlog --echo "pam-format-username" "Username '$PAM_USER' contains disallowed character ':', denying access" + exit 1 +fi + +# check if the script runs as root +[ "x$(whoami)" = "xroot" ] || exit 1 + +# See if we have a shadow entry - skip user in that case +grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1 + +# ppam -- pluggable pluggable authentication module +# Source all scripts in the auth-source.d directory +# until one succeeds. +# A succeeding script should set USER_UID to the +# uidNumber of the user authenticating, additionally +# it must set USER_GID or USER_GROUP (or both). +# Additional variables that can be set are +# NETWORK_HOME (network path to home directory) +# HOME_MOUNT_OPTS (mount options to use) +# REAL_ACCOUNT (real account name in case any +# mapping took place) +for auth_file in /opt/openslx/pam/auth-source.d/*; do + NETWORK_HOME= + HOME_MOUNT_OPTS= + REAL_ACCOUNT= + USER_UID= + USER_GID= + USER_GROUP= + USER_HOME= + [ -f "$auth_file" ] || continue + . "$auth_file" + [ -n "$USER_UID" ] || continue + [ -n "${USER_GID}${USER_GROUP}" ] || continue + break +done +[ -z "$REAL_ACCOUNT" ] && REAL_ACCOUNT="$PAM_USER" +readonly USER_UID REAL_ACCOUNT + +# No success - access denied +[ -z "$USER_UID" ] && exit 1 +[ "x$USER_UID" = "x0" ] && exit 1 + +# Validate +if ! echo "$USER_UID" | grep -Exq '[0-9]+'; then + slxlog --echo "pam-format-uid" "'$PAM_USER' has invalid userid '$USER_UID'" + exit 1 +fi +if [ -n "$USER_GID" ] && ! echo "$USER_GID" | grep -Exq '[0-9]+'; then + slxlog --echo "pam-format-gid" "'$PAM_USER' has invalid groupid '$USER_GID'" + exit 1 +fi +if [ "$(echo "${USER_UID}${USER_GID}${USER_GROUP}${USER_HOME}" | wc -l)" != "1" ]; then + slxlog --echo "pam-format-any" "A ppam module returned multilined attributes for uid/gid/group/home" + exit 1 +fi + +# Make sure group exists locally +GROUPENT= +if [ -n "$USER_GID" ]; then + GROUPENT=$(getent group "$USER_GID" 2>/dev/null) +fi +if [ -z "$GROUPENT" ] && [ -n "$USER_GROUP" ]; then + GROUPENT=$(getent group "$USER_GROUP" 2>/dev/null) +fi +# Force -- neither group nor gid exist yet +if [ -z "$GROUPENT" ]; then + if [ -z "$USER_GROUP" ]; then + USER_GROUP=generic + fi + if [ -n "$USER_GID" ]; then + addgroup -g "$USER_GID" "$USER_GROUP" >/dev/null 2>&1 + else + addgroup "$USER_GROUP" >/dev/null 2>&1 + fi + GROUPENT=$(getent group "$USER_GROUP") +fi + +if [ -n "$GROUPENT" ]; then + [ -z "$USER_GID" ] && USER_GID=$(echo "$GROUPENT" | awk -F ':' '{print $3}') + [ -z "$USER_GROUP" ] && USER_GROUP=$(echo "$GROUPENT" | awk -F ':' '{print $1}') + if ! grep -q "^${USER_GROUP}:" '/etc/group'; then + echo "$GROUPENT" >> '/etc/group' + fi +fi +readonly USER_GID USER_GROUP + +. /opt/openslx/pam/common/homedir-passwd + +# The user's non-persistent home directory mount point, which should be their linux home +TEMP_HOME_DIR="$USER_HOME" +# The user's persistent home directory mount point +PERSISTENT_HOME_DIR="${TEMP_HOME_DIR}/PERSISTENT" +readonly TEMP_HOME_DIR PERSISTENT_HOME_DIR + +############################################################################### +# +# Preparations for volatile /home/<user> +# +# +# check if we already mounted the home directory +if ! awk '{print $2}' /proc/mounts | grep -Fxq -- "${TEMP_HOME_DIR}"; then + # no home, lets create it + if ! mkdir -p "${TEMP_HOME_DIR}"; then + slxlog --echo "pam-global-mktemphome" "Could not create '${TEMP_HOME_DIR}'." + fi + if ! mount -t tmpfs -o mode=700,size=1024m tmpfs "${TEMP_HOME_DIR}"; then + slxlog --echo "pam-global-tmpfstemphome" "Could not make a tmpfs on '${TEMP_HOME_DIR}'" + fi + if ! chown "${USER_UID}:${USER_GID}" "${TEMP_HOME_DIR}"; then + slxlog --echo "pam-global-chpersistent" "Could not chown '${TEMP_HOME_DIR}' to '${PAM_USER}'." + fi +fi +if [ -n "${REAL_ACCOUNT}" ]; then + echo "${REAL_ACCOUNT}" > "${TEMP_HOME_DIR}/.account" + chmod 0644 "${TEMP_HOME_DIR}/.account" +fi + + +############################################################################### +# +# Preparations for /home/<user>/PERSISTENT +# +# +isHomeMounted() { + grep -Fuq " ${PERSISTENT_HOME_DIR} " /proc/mounts +} + +PERSISTENT_OK= +if ! isHomeMounted; then + if ! mkdir -p "${PERSISTENT_HOME_DIR}"; then + slxlog "pam-global-mkpersistent" "Could not create '${PERSISTENT_HOME_DIR}'." + else + for mount_file in /opt/openslx/pam/mount-persistent.d/*; do + [ -f "$mount_file" ] || continue + . "$mount_file" + if isHomeMounted; then + PERSISTENT_OK="yes" + break + fi + done + fi +fi + +# Just try to delete the persistent dir. If the mount was successful, it will not work +# If it was not successful, it will be removed so the user doesn't think he can store +# anything in there +rmdir -- "${PERSISTENT_HOME_DIR}" 2> /dev/null + +# Write warning message to tmpfs home +if [ -n "${PERSISTENT_OK}" ]; then + # home directory mount SUCCESS + # create a WARNING.txt for the user with hint to PERSISTENT + # Remember for hooks in pam_script_auth.d + if [ "${NETWORK_HOME:0:2}" = '//' ]; then + PERSISTENT_NETPATH=$(echo "$NETWORK_HOME" | tr '/' '\') + else + PERSISTENT_NETPATH="$NETWORK_HOME" + fi + export PERSISTENT_NETPATH + cat > "${TEMP_HOME_DIR}/WARNING.txt" <<EOF +ATTENTION: This is the non-persistent home directory! +Files saved here will be lost on shutdown. +Your real home is under ${PERSISTENT_HOME_DIR} +Please save your files there. +EOF +else + # home directory mount FAILED + # create a WARNING.txt for the user, no PERSISTENT :-( + cat > "${TEMP_HOME_DIR}/WARNING.txt" <<EOF +ATTENTION: This is a non-persistent home directory! +Files saved here will be lost on shutdown. +Please save your files on a USB drive or upload them +to some web service. +EOF +fi +chown "${USER_UID}" "${TEMP_HOME_DIR}/WARNING.txt" + +# +# execute the stuff in pam_script_auth.d, if it exists +# +for file in /opt/openslx/scripts/pam_script_auth.d/*; do + [ -f "$file" ] || continue + ( . "$file" ) || slxlog "pam-source-hooks" "Could not source '$file'." +done + +exit 0 + |