From 37be9900220139a78459cac24c3f040e0b35e40b Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 9 Mar 2018 16:53:32 +0100 Subject: [pam] Remove session logging and process killing/unmount, those are now external hooks --- .../data/opt/openslx/scripts/pam_script_ses_close | 68 ---------------------- .../data/opt/openslx/scripts/pam_script_ses_open | 10 ---- 2 files changed, 78 deletions(-) (limited to 'core/modules/pam') diff --git a/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_close b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_close index adb94990..80b496d6 100755 --- a/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_close +++ b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_close @@ -15,16 +15,6 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/o [ "x${PAM_SERVICE%greeter}" != "x${PAM_SERVICE}" ] && exit 0 -# NSA needs to know -if [ "x$PAM_SERVICE" != "xsu" -a "x$PAM_SERVICE" != "xsudo" ]; then - . /opt/openslx/config - if [ "x$SLX_REMOTE_LOG_SESSIONS" = "xyes" -o "x$PAM_USER" = "xroot" ]; then - slxlog "session-close" "$PAM_USER logged out on $PAM_TTY" - elif [ "x$SLX_REMOTE_LOG_SESSIONS" = "xanonymous" ]; then - slxlog "session-close" "User logged out on $PAM_TTY" - fi -fi - # source hooks if there are any if [ -d "/opt/openslx/scripts/pam_script_ses_close.d" ]; then for HOOK in $(ls "/opt/openslx/scripts/pam_script_ses_close.d"); do @@ -33,63 +23,5 @@ if [ -d "/opt/openslx/scripts/pam_script_ses_close.d" ]; then done fi -# do not kill all root processes :) -[ "x${PAM_USER}" = "xroot" ] && exit 0 - -USERID=$(id -u "$PAM_USER") -[ -z "$USERID" ] && USERID="$PAM_USER" - -# Async block: Check if user has no session open anymore, if not -# kill any remaining processes belonging to the user and unmount -# everything at $USERHOME and below. -{ - sleep 2 # Give things some time - # Use who (utmp) to determine sessions by the user. loginctl might be nicer, but - # a simple show-user $USER will also include detached sessions (eg. screen) which - # makes this quite pointless. This needs to be investigated some day. - SESSIONCOUNT=$(who | grep "^${PAM_USER}\\b" | wc -l) - if [ "$SESSIONCOUNT" = "0" ]; then - - # last session, close all ghost user processes - pkill -u "${USERID}" - - # check if user's processes are still running - for TIMEOUT in 1 1 2 FAIL; do - if ! ps -o pid,s -u "$USERID" -U "$USERID" | grep -q -v -E "PID|Z"; then - # nothing running anymore - break - fi - if [ "$TIMEOUT" = "FAIL" ]; then - # still something running, send SIGKILL - pkill -9 -u "${USERID}" - else - # give some time - sleep "${TIMEOUT}" - fi - done - - fi - - # just to be sure we check again, since the pkilling above might have taken some time... - SESSIONCOUNT=$(who | grep "^${PAM_USER}\\b" | wc -l) - if [ "$SESSIONCOUNT" = "0" ]; then - - # unmount the home directory structure - USER_HOME=$(getent passwd "$USERID" | awk -F ':' '{print $6}') - if [ -n "$USER_HOME" ]; then - for TIMEOUT in 0 0 2 2 FAIL; do - OK=yes - for dir in $(cat /proc/mounts | awk '{print $2}' | grep -e "^${USER_HOME}\$" -e "^${USER_HOME}/.*\$"); do - umount "$dir" || OK=no - done - [ "$TIMEOUT" = "FAIL" -o "$OK" = "yes" ] && break - sleep "$TIMEOUT" - done - fi - - fi - -} & - exit 0 diff --git a/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_open b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_open index a71a566f..0050758c 100755 --- a/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_open +++ b/core/modules/pam/data/opt/openslx/scripts/pam_script_ses_open @@ -13,16 +13,6 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/o # just exit for greeter sessions [ "x${PAM_SERVICE%greeter}" != "x${PAM_SERVICE}" ] && exit 0 -# NSA needs to know -if [ "x$PAM_SERVICE" != "xsu" -a "x$PAM_SERVICE" != "xsudo" ]; then - . /opt/openslx/config - if [ "x$SLX_REMOTE_LOG_SESSIONS" = "xyes" -o "x$PAM_USER" = "xroot" ]; then - slxlog "session-open" "$PAM_USER logged in on $PAM_TTY" - elif [ "x$SLX_REMOTE_LOG_SESSIONS" = "xanonymous" ]; then - slxlog "session-open" "User logged in on $PAM_TTY" - fi -fi - # source the stuff in pam_script_ses_open.d, if it exists if [ -d "/opt/openslx/scripts/pam_script_ses_open.d" ]; then for HOOK in $(ls "/opt/openslx/scripts/pam_script_ses_open.d"); do -- cgit v1.2.3-55-g7522