diff options
author | Jonathan Bauer | 2014-01-22 16:59:29 +0100 |
---|---|---|
committer | Jonathan Bauer | 2014-01-22 16:59:29 +0100 |
commit | 1c997d023e76fdb5ac8b29d18f6cab43e166b593 (patch) | |
tree | 5dc0d422b945eba8070969d42cc374fe83ca984e /server | |
parent | [plymouth] quit service for plymouth, might be needed one day (diff) | |
download | tm-scripts-1c997d023e76fdb5ac8b29d18f6cab43e166b593.tar.gz tm-scripts-1c997d023e76fdb5ac8b29d18f6cab43e166b593.tar.xz tm-scripts-1c997d023e76fdb5ac8b29d18f6cab43e166b593.zip |
[pam] changes: prepare home directory struct in pam-auth and not
session.
Diffstat (limited to 'server')
3 files changed, 68 insertions, 1 deletions
diff --git a/server/modules/pam-freiburg/etc/pam-script/pam_script_auth b/server/modules/pam-freiburg/etc/pam-script/pam_script_auth new file mode 120000 index 00000000..319fba0e --- /dev/null +++ b/server/modules/pam-freiburg/etc/pam-script/pam_script_auth @@ -0,0 +1 @@ +/opt/openslx/scripts/pam_script_auth
\ No newline at end of file diff --git a/server/modules/pam-freiburg/etc/pam.d/common-auth b/server/modules/pam-freiburg/etc/pam.d/common-auth index 790afa1d..ec7e3d5c 100644 --- a/server/modules/pam-freiburg/etc/pam.d/common-auth +++ b/server/modules/pam-freiburg/etc/pam.d/common-auth @@ -14,7 +14,8 @@ # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) -auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=ok default=ignore] pam_krb5.so minimum_uid=1000 +auth [success=3 default=ignore] pam_script.so expose=1 auth [success=2 default=ignore] pam_unix.so try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass # here's the fallback if no module succeeds diff --git a/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_auth b/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_auth new file mode 100755 index 00000000..611b565a --- /dev/null +++ b/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_auth @@ -0,0 +1,65 @@ +#!/bin/ash + +# Needed as pam_script clears PATH +export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/usr/sbin:/opt/openslx/usr/bin:/opt/openslx/sbin:/opt/openslx/bin" + +PASSWD=$(getent passwd "$PAM_USER") +USER_GID=$(echo "$PASSWD" | awk -F ':' '{print $4}') +USER_HOME=$(echo "$PASSWD" | awk -F ':' '{print $6}') + +# Script to be sourced to mount the user's persistent home +PERSISTENT_MOUNT_SCRIPT="/opt/openslx/scripts/pam_script_mount_persistent" +# Script to be run in the user's context iff the persistent home could be mounted successfully +PERSISTENT_MOUNT_USER_SCRIPT="/opt/openslx/scripts/pam_script_mount_persistent_user" +# The user's non-persistent home directory mount point, which should be their linux home +TEMP_HOME_DIR="$USER_HOME" +# The user's persistent home directory mount point +PERSISTENT_HOME_DIR="${TEMP_HOME_DIR}/PERSISTENT" + +# check if the script runs as root +[ "x$(whoami)" != "xroot" ] && exit 0 + +# check if PAM_USER is root and skip if it is the case +[ "x${PAM_USER}" == "xroot" ] && exit 0 + +# check if we already mounted the home directory +mount | grep -q " $TEMP_HOME_DIR " && exit 0 + +# no home, lets create it +mkdir -p "${TEMP_HOME_DIR}" || \ + { slxlog "pam-global-mktemphome" "Could not create '${TEMP_HOME_DIR}'."; exit 1; } + +# now make it a tmpfs +mount -t tmpfs -o size=100m tmpfs "${TEMP_HOME_DIR}" || \ + { slxlog "pam-global-tmpfstemphome" "Could not make a tmpfs on ${TEMP_HOME_DIR}"; exit 1; } + +# create a WARNING.txt for the user +cat > "${TEMP_HOME_DIR}/WARNING.txt" << EOF +ATTENTION: This is the non-persistant home directory! +Files saved here will be lost on shutdown. +Your real home is under /home/<user>/PERSISTENT. +Please save your files there. +EOF + +# create the PERSISTENT directory +mkdir -p "${PERSISTENT_HOME_DIR}" || \ + { slxlog "pam-global-mkpersistent" "Could not create '${PERSISTENT_HOME_DIR}'."; exit 1; } + +if ! chown -R "${PAM_USER}:${USER_GID}" "${TEMP_HOME_DIR}"; then + slxlog "pam-global-chpersistent " "Could not chown '${TEMP_HOME_DIR}' to '${PAM_USER}'." + exit 1 +fi + +# now lets see if we have a persistent directory mount script +[ ! -e "${PERSISTENT_MOUNT_SCRIPT}" ] && exit 0 +# yes +. "${PERSISTENT_MOUNT_SCRIPT}" || \ + { slxlog "pam-global-sourcepersistent" "Could not source ${PERSISTENT_MOUNT_SCRIPT}."; exit 1; } + +# Just try to delete the persistent dir. If the mount was successful, it will not work +# If it was not successful, it will be removed so the user doesn't think he can store +# anything in there +rmdir "$PERSISTENT_HOME_DIR" 2> /dev/null + +exit 0 + |