From 2318dd33592a354465de4496a99b6d02ada2fa41 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 28 Jun 2019 16:08:18 +0200
Subject: [pam-slx-plug] Add auth-final-exec hook

On successful authentication, run everything
in dir /opt/openslx/pam/hooks/auth-final-exec.d
This applies no matter which authentication module
succeeded, contrary to the old pam_script_auth.d directory.
Note that the password is NOT exposed in this hook,
and it is only run if the pam stack is executing in root
context.
---
 .../data/opt/openslx/pam/exec_auth_final           | 39 ++++++++++++++++++++++
 .../data/opt/openslx/pam/systemd/create-pam-config |  1 +
 2 files changed, 40 insertions(+)
 create mode 100755 core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final

(limited to 'core/modules/pam-slx-plug')

diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final
new file mode 100755
index 00000000..3d12d20f
--- /dev/null
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/exec_auth_final
@@ -0,0 +1,39 @@
+#!/bin/ash
+
+# This is executed in the pam_auth phase, after any real
+# authentication module succeeded. It will execute all scripts in
+# /opt/openslx/pam/hooks/auth-final-exec.d
+# This is in contrast to /opt/openslx/pam/hooks/auth-slx-success.d
+# which only executes if one of the pam-slx-plugins succeeded authing,
+# but then offers further variables detailing the auth environment.
+
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin"
+
+# Remove password from stdin
+cat &> /dev/null &
+waitpid=$!
+
+# Only as root
+[ "$(whoami)" != "root" ] && exit 0
+
+source_dir=/opt/openslx/pam/hooks/auth-final-exec.d
+readonly source_dir
+
+[ -d "$source_dir" ] || exit 0
+
+for file in $source_dir/*; do
+	[ -e "$file" ] || continue # Dir empty, will be the unglobbed string
+	if ! [ -f "$file" ]; then
+		slxlog "pam-auth-final" "$file is not a file, ignoring"
+		continue
+	fi
+	if ! [ -x "$file" ]; then
+		slxlog "pam-auth-final" "$file is not executable!"
+		continue
+	fi
+	"$file" || slxlog "pam-auth-final" "$file didn't exit with code 0"
+done
+
+kill "$waitpid"
+
+exit 0
diff --git a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
index 7de43b7e..a4daa837 100755
--- a/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
+++ b/core/modules/pam-slx-plug/data/opt/openslx/pam/systemd/create-pam-config
@@ -135,6 +135,7 @@ if grep -q '<slx-autogen>' "/etc/pam.d/common-auth"; then
 	cat >> "$tmpfile" <<-HERE
 		auth  optional   pam_faildelay.so delay=2123123
 		auth  requisite  pam_deny.so
+		auth  optional   pam_exec.so quiet /opt/openslx/pam/exec_auth_final
 		auth  required   pam_permit.so
 		auth  optional   pam_cap.so
 	HERE
-- 
cgit v1.2.3-55-g7522