From 9b33230f3c6235990335fa73c071ff53e89dcfd8 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 9 Mar 2018 11:48:27 +0100 Subject: [run-virt] pwdaemon now drops privs, no more su hack; support pam-slx-plug If usage of pam-slx-plug is detected, we'll use the approprivate environment variables to detect the mount domain, not the global /opt/openslx/inc/shares --- .../pam_script_auth.d/99-run_virt_credentials | 64 +++++++++++++++------- 1 file changed, 43 insertions(+), 21 deletions(-) (limited to 'core/modules/run-virt/data/opt/openslx/scripts') diff --git a/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials b/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials index 941f0047..211f780e 100644 --- a/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials +++ b/core/modules/run-virt/data/opt/openslx/scripts/pam_script_auth.d/99-run_virt_credentials @@ -12,38 +12,60 @@ if [ -n "$TEMP_HOME_DIR" ]; then echo "${PERSISTENT_NETPATH}" > "${TEMP_HOME_DIR}/.home" chmod 0644 "${TEMP_HOME_DIR}/.home" fi + # pwdaemon + # Figure out username XUSER="${REAL_ACCOUNT}" [ -z "$XUSER" ] && XUSER="${PAM_USER}" # Figure out domain XDOMAIN= - # Take explicitly configured domain - if [ -s "/opt/openslx/inc/shares" ]; then - . /opt/openslx/inc/shares - XDOMAIN="${SHARE_DOMAIN}" - fi - if [ "x$XDOMAIN" != "x#" ]; then - # Guess domain - if [ -z "$XDOMAIN" ] && [ -n "$PERSISTENT_HOME_DIR" ]; then - XDOMAIN=$(grep -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | grep -m1 -F 'domain=' | sed -r 's/^.*[ ,]domain=([^ ,]*)[ ,].*$/\1/g') - fi - if [ -z "$XDOMAIN" ]; then - XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) + + if [ -d "/opt/openslx/pam/slx-ldap.d" ]; then + # New pretty approach - modular with multiple auth sources + if [ -n "$LDAP_DOMAIN_OVERRIDE" ]; then + [ "x$LDAP_DOMAIN_OVERRIDE" != "x#" ] && XDOMAIN="$LDAP_DOMAIN_OVERRIDE" + else + if [ -z "$XDOMAIN" ] && [ -n "$PERSISTENT_HOME_DIR" ]; then + XDOMAIN=$(grep -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | grep -m1 -F 'domain=' | sed -r 's/^.*[ ,]domain=([^ ,]*)[ ,].*$/\1/g') + fi + if [ -z "$XDOMAIN" ] && [ -n "$USER_DN" ]; then + XDOMAIN=$(echo "$USER_DN" | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ] && [ -n "$LDAP_BASE" ]; then + XDOMAIN=$(echo "$LDAP_BASE" | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN="WORKGROUP" + fi fi - if [ -z "$XDOMAIN" ]; then - XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-) + else + # Old approach - just one global config + # Take explicitly configured domain + if [ -s "/opt/openslx/inc/shares" ]; then + . /opt/openslx/inc/shares + XDOMAIN="${SHARE_DOMAIN}" fi - if [ -n "$XDOMAIN" ]; then - XDOMAIN=$(echo "$XDOMAIN" | tr '[a-z]' '[A-Z]') + if [ "x$XDOMAIN" = "x#" ]; then + XDOMAIN= else - XDOMAIN="WORKGROUP" + # Guess domain + if [ -z "$XDOMAIN" ] && [ -n "$PERSISTENT_HOME_DIR" ]; then + XDOMAIN=$(grep -F " ${PERSISTENT_HOME_DIR} " "/proc/mounts" | grep -m1 -F 'domain=' | sed -r 's/^.*[ ,]domain=([^ ,]*)[ ,].*$/\1/g') + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN=$(<"/etc/ldap.conf" grep -m1 -i '^BASE\s.*DC=' | grep -o -E -i 'DC=([^,;]+)' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN=$(<"/etc/sssd/sssd.conf" grep -m1 -i '^ldap_search_base\s*=.*DC=' | grep -o -E -i 'DC=[^,;]+' | head -n 1 | cut -c 4-) + fi + if [ -z "$XDOMAIN" ]; then + XDOMAIN="WORKGROUP" + fi fi - XDOMAIN="${XDOMAIN}\\" - else - XDOMAIN= fi - USERNAME="${XDOMAIN}${XUSER}" PASSWORD="$PAM_AUTHTOK" PWSOCKET="${TEMP_HOME_DIR}/.pwsocket" su -c 'pwdaemon --daemon &' "${PAM_USER}" & + [ -n "$XDOMAIN" ] && XDOMAIN="$(echo "$XDOMAIN" | tr '[a-z]' '[A-Z]')\\" + USERNAME="${XDOMAIN}${XUSER}" PASSWORD="$PAM_AUTHTOK" PWSOCKET="${TEMP_HOME_DIR}/.pwsocket" pwdaemon --daemon "${USER_UID}" unset XUSER XDOMAIN fi fi -- cgit v1.2.3-55-g7522