From 12abcf349af03264d1e038064976e5c34579391a Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Tue, 4 Dec 2018 13:20:56 +0100 Subject: [pam-slx-plug] Use caps from LDAP; allow running auth as user Allow running exec_auth if the checked user is the user the script is running as. When writing user to /etc/passwd, use the spelling as supplied from the LDAP server. --- .../data/opt/openslx/pam/auth-source.d/99-slx-ldap | 9 ++++++++- .../data/opt/openslx/pam/common/homedir-passwd | 5 +++-- .../modules/pam-slx-plug/data/opt/openslx/pam/exec_auth | 17 ++++++++++++----- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap index 3e20d8ed..cab6c0a6 100644 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/auth-source.d/99-slx-ldap @@ -83,6 +83,9 @@ run_auth() { [ -z "$BINDDN" ] && BINDDN=$(extract_field "distinguishedName" "$SEARCH_ANON") [ -z "$BINDDN" ] && return 1 # User exists + # Get proper capitalization + RET=$(extract_field "uid" "$SEARCH_ANON") + [ -n "$RET" ] && USER_NAME="$RET" if [ "$PAM_TYPE" = "account" ]; then # 'account' checks just if the user is allowed to log in, bail out USER_UID=$(extract_field "uidNumber" "$SEARCH_ANON") @@ -92,7 +95,11 @@ run_auth() { fi SEARCH_USER=$(mktemp) TEMPFILES_LDAP="$TEMPFILES_LDAP $SEARCH_USER" - PW="/run/pw.${RANDOM}.${RANDOM}.${PAM_USER}.${RANDOM}.$$" + if [ -z "$SCRIPT_USER" ] || [ "$SCRIPT_USER" = "root" ]; then + PW="/run/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$" + else + PW="/run/user/${USER_UID}/pw.${RANDOM}.${PAM_USER}.${RANDOM}.$$" + fi for retries in 0 1 1 0; do if ! mkfifo -m 0600 "${PW}"; then slxlog "pam-slxldap-fifo" "Could not create FIFO at ${PW}" diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd index 006f1c81..53ed1a5b 100644 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/common/homedir-passwd @@ -19,9 +19,10 @@ fi readonly USER_HOME # Add/replace passwd entry if it doesn't exist yet -LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}:${USER_HOME}:/bin/bash" +LINE_PASS="${USER_NAME}:x:${USER_UID}:${USER_GID}:${USER_NAME}@SLX:${USER_HOME}:/bin/bash" readonly LINE_PASS if ! grep -Fxq -- "${LINE_PASS}" /etc/passwd; then - sed -i "/^${USER_NAME}:/d" /etc/passwd + # Make sure there's no existing line with same uid or uidNumber + sed -i -r "/^${USER_NAME}:/d;/^[^:]*:x:${USER_UID}:/d" /etc/passwd echo "${LINE_PASS}" >> /etc/passwd fi diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth index 6f1dc0ae..99d5afa8 100755 --- a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth +++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth @@ -8,7 +8,7 @@ readonly USER_PASSWORD [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 USER_NAME="$PAM_USER" -readonly PAM_USER USER_NAME +readonly PAM_USER # Needed as pam_script clears PATH export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" @@ -20,10 +20,17 @@ if echo "$PAM_USER" | grep -Fq ':'; then fi # check if the script runs as root -[ "x$(whoami)" = "xroot" ] || exit 1 +SCRIPT_USER=$(whoami) +readonly SCRIPT_USER +[ "x$SCRIPT_USER" = "xroot" ] || [ "x$SCRIPT_USER" = "x$PAM_USER" ] || exit 1 -# See if we have a shadow entry - skip user in that case -grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1 +if [ "$PAM_USER" = "root" ]; then + # See if we have a shadow entry - skip user in that case + grep -q "^${PAM_USER}:" "/etc/shadow" && exit 1 +else + # Running in user context - user must be known from before + grep -q "^${PAM_USER}:x:.*:.*:${PAM_USER}@SLX:" "/etc/passwd" || exit 1 +fi # ppam -- pluggable pluggable authentication module # Source all scripts in the auth-source.d directory @@ -101,7 +108,7 @@ if [ -n "$GROUPENT" ]; then echo "$GROUPENT" >> '/etc/group' fi fi -readonly USER_GID USER_GROUP +readonly USER_GID USER_GROUP USER_NAME . /opt/openslx/pam/common/homedir-passwd -- cgit v1.2.3-55-g7522