From f8abc5d351b6fa2293593d394a80c83665d5729d Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 28 Jun 2019 16:56:22 +0200
Subject: [pam-slx-plug] Move old pam_script_* hook dirs to pam dir

They're all now in subdirectories of /opt/openslx/pam/hooks.

Symlinks have been put in place where they used to reside.
---
 .../auth-slx-source.d/99-run_virt_credentials      | 82 ++++++++++++++++++++++
 .../hooks/session-close.d/runvirt-firewall-clear   | 17 +++++
 2 files changed, 99 insertions(+)
 create mode 100644 core/modules/run-virt/data/opt/openslx/pam/hooks/auth-slx-source.d/99-run_virt_credentials
 create mode 100644 core/modules/run-virt/data/opt/openslx/pam/hooks/session-close.d/runvirt-firewall-clear

(limited to 'core/modules/run-virt/data/opt/openslx/pam')

diff --git a/core/modules/run-virt/data/opt/openslx/pam/hooks/auth-slx-source.d/99-run_virt_credentials b/core/modules/run-virt/data/opt/openslx/pam/hooks/auth-slx-source.d/99-run_virt_credentials
new file mode 100644
index 00000000..613c66ca
--- /dev/null
+++ b/core/modules/run-virt/data/opt/openslx/pam/hooks/auth-slx-source.d/99-run_virt_credentials
@@ -0,0 +1,82 @@
+#!/bin/ash
+# This is being sourced and running in ash
+
+if [ -n "$TEMP_HOME_DIR" ]; then
+	if [ -z "$PAM_TTY" ] || [ "x$PAM_TTY" = "x:0" ]; then
+		# Pass on network path to home directory
+		if [ -z "$PERSISTENT_NETPATH" ]; then
+			PERSISTENT_NETPATH=$(grep -m1 -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | awk '{print $1}')
+		fi
+		if [ -n "$PERSISTENT_NETPATH" ]; then
+			[ "x${PERSISTENT_NETPATH:0:2}" = "x//" ] && PERSISTENT_NETPATH=$(echo "$PERSISTENT_NETPATH" | tr '/' '\\')
+			echo "${PERSISTENT_NETPATH}" > "${TEMP_HOME_DIR}/.openslx/home"
+			chmod 0644 "${TEMP_HOME_DIR}/.openslx/home"
+		fi
+
+		# pwdaemon
+
+		# Figure out username
+		XUSER="${REAL_ACCOUNT}"
+		[ -z "$XUSER" ] && XUSER="${PAM_USER}"
+		# Figure out domain
+		XDOMAIN=
+
+		if [ -d "/opt/openslx/pam/slx-ldap.d" ]; then
+			# New pretty approach - modular with multiple auth sources
+			if [ -n "$SHARE_DOMAIN" ]; then
+				[ "x$SHARE_DOMAIN" != "x#" ] && XDOMAIN="$SHARE_DOMAIN"
+			else
+				if [ -z "$XDOMAIN" ] && [ -n "$PERSISTENT_HOME_DIR" ]; then
+					XDOMAIN=$(grep -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | grep -m1 -F 'domain=' | sed -r 's/^.*[ ,]domain=([^ ,]*)[ ,].*$/\1/g')
+				fi
+				if [ -z "$XDOMAIN" ] && [ -n "$USER_DN" ]; then
+					XDOMAIN=$(echo "$USER_DN" | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-)
+				fi
+				if [ -z "$XDOMAIN" ] && [ -n "$LDAP_BASE" ]; then
+					XDOMAIN=$(echo "$LDAP_BASE" | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-)
+				fi
+				if [ -z "$XDOMAIN" ]; then
+					XDOMAIN="WORKGROUP"
+				fi
+			fi
+		else
+			# Old approach - just one global config
+			# Take explicitly configured domain
+			if [ -s "/opt/openslx/inc/shares" ]; then
+				. /opt/openslx/inc/shares
+				XDOMAIN="${SHARE_DOMAIN}"
+			fi
+			if [ "x$XDOMAIN" = "x#" ]; then
+				XDOMAIN=
+			else
+				# Guess domain
+				if [ -z "$XDOMAIN" ] && [ -n "$PERSISTENT_HOME_DIR" ]; then
+					XDOMAIN=$(grep -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | grep -m1 -F 'domain=' | sed -r 's/^.*[ ,]domain=([^ ,]*)[ ,].*$/\1/g')
+				fi
+				if [ -z "$XDOMAIN" ]; then
+					XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-)
+				fi
+				if [ -z "$XDOMAIN" ]; then
+					XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-)
+				fi
+				if [ -z "$XDOMAIN" ]; then
+					XDOMAIN="WORKGROUP"
+				fi
+			fi
+		fi
+		[ -n "$XDOMAIN" ] && XDOMAIN="$(echo "$XDOMAIN" | tr '[a-z]' '[A-Z]')\\"
+		USERNAME="${XDOMAIN}${XUSER}" PASSWORD="$PAM_AUTHTOK" PWSOCKET="${TEMP_HOME_DIR}/.pwsocket" pwdaemon --daemon "${USER_UID}"
+		unset XUSER XDOMAIN
+	fi
+fi
+
+# Now copy all the share mount options over from the current ldap plugin
+if [ -n "$SLX_LDAP_FILE" ] && [ -s "$SLX_LDAP_FILE" ]; then
+	grep '^SHARE_' "$SLX_LDAP_FILE"
+	if [ -n "$USER_DN" ] && [ "$(echo "$USER_DN" | wc -l)" = 1 ]; then
+		set | grep '^USER_DN='
+	fi
+fi > "${TEMP_HOME_DIR}/.openslx/shares"
+
+true
+
diff --git a/core/modules/run-virt/data/opt/openslx/pam/hooks/session-close.d/runvirt-firewall-clear b/core/modules/run-virt/data/opt/openslx/pam/hooks/session-close.d/runvirt-firewall-clear
new file mode 100644
index 00000000..4fdd88ab
--- /dev/null
+++ b/core/modules/run-virt/data/opt/openslx/pam/hooks/session-close.d/runvirt-firewall-clear
@@ -0,0 +1,17 @@
+#!/bin/ash
+
+# Sourced as session-close hook
+
+runvirt_fw_clear () {
+	iptables -w -F runvirt-INPUT
+	ip6tables -w -F runvirt-INPUT
+	iptables -w -F runvirt-OUTPUT
+	ip6tables -w -F runvirt-OUTPUT
+}
+
+if [ "x$PAM_TTY" = "x:0" ]; then
+	runvirt_fw_clear > /dev/null 2>&1
+fi
+
+true
+
-- 
cgit v1.2.3-55-g7522