diff options
10 files changed, 145 insertions, 55 deletions
diff --git a/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_close b/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_close index 198d2efe..f7a10fef 100755 --- a/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_close +++ b/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_close @@ -4,7 +4,9 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/usr/sbin:/opt/openslx/usr/bin:/opt/openslx/sbin:/opt/openslx/bin" # NSA needs to know -slxlog "session-close" "$PAM_USER logged out on $PAM_TTY" +if [ "x$PAM_SERVICE" != "xsu" -a "x$PAM_SERVICE" != "xsudo" ]; then + slxlog "session-close" "$PAM_USER logged out on $PAM_TTY" +fi # do not kill all root processes :) [ "x${PAM_USER}" = "xroot" ] && exit 0 @@ -41,10 +43,10 @@ if [ "$SESSIONCOUNT" = "1" ]; then OPEN2=$(loginctl show-user "$PAM_USER" | grep "Sessions=" | cut -c 10-) if [ -z "$OPEN2" -o "x$OPENSESSION" = "x$OPEN2" ]; then # unmount the home directory structure - umount -l "/home/${PAM_USER}/PERSISTENT" || \ + umount -l -f "/home/${PAM_USER}/PERSISTENT" || \ echo "Could not unmount '/home/${PAM_USER}/PERSISTENT'." - - umount -l "/home/${PAM_USER}" || \ + + umount -l -f "/home/${PAM_USER}" || \ echo "Could not unmount '/home/${PAM_USER}'." fi fi diff --git a/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_open b/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_open index 84a51473..66cda56c 100755 --- a/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_open +++ b/remote/modules/pam/data/opt/openslx/scripts/pam_script_ses_open @@ -3,12 +3,21 @@ # Needed as pam_script clears PATH export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/usr/sbin:/opt/openslx/usr/bin:/opt/openslx/sbin:/opt/openslx/bin" +# Script to be sourced to mount the user's persistent home PERSISTENT_MOUNT_SCRIPT="/opt/openslx/scripts/pam_script_mount_persistent" +# Script to be run in the user's context iff the persistent home could be mounted successfully +PERSISTENT_MOUNT_USER_SCRIPT="/opt/openslx/scripts/pam_script_mount_persistent_user" +# The user's non-persistent home directory mount point, which should be their linux home TEMP_HOME_DIR="/home/${PAM_USER}" +# The user's persistent home directory mount point PERSISTENT_HOME_DIR="/home/${PAM_USER}/PERSISTENT" +PAM_GROUP=$(id -ng "$PAM_USER") + # NSA needs to know -slxlog "session-open" "$PAM_USER logged in on $PAM_TTY" +if [ "x$PAM_SERVICE" != "xsu" -a "x$PAM_SERVICE" != "xsudo" ]; then + slxlog "session-open" "$PAM_USER logged in on $PAM_TTY" +fi # check if the script runs as root [ "x$(whoami)" != "xroot" ] && exit 0 @@ -17,7 +26,7 @@ slxlog "session-open" "$PAM_USER logged in on $PAM_TTY" [ "x${PAM_USER}" == "xroot" ] && exit 0 # check if we already mounted the home directory -mount | grep -q "$TEMP_HOME_DIR" && exit 0 +mount | grep -q " $TEMP_HOME_DIR " && exit 0 # no home, lets create it mkdir -p "${TEMP_HOME_DIR}" || \ @@ -51,13 +60,25 @@ for ext in doc xls ppt odt; do done done -chown -R "${PAM_USER}" "${TEMP_HOME_DIR}" || \ - { slxlog "pam-global-chpersistent " "Could not chown '${TEMP_HOME_DIR}' to '${PAM_USER}'."; exit 1; } +if ! chown -R "${PAM_USER}" "${TEMP_HOME_DIR}"; then + slxlog "pam-global-chpersistent " "Could not chown '${TEMP_HOME_DIR}' to '${PAM_USER}'." + exit 1 +fi -# now lets see if we have a persistent directory +# now lets see if we have a persistent directory mount script [ ! -e "${PERSISTENT_MOUNT_SCRIPT}" ] && exit 0 +# yes . "${PERSISTENT_MOUNT_SCRIPT}" || \ { slxlog "pam-global-sourcepersistent" "Could not source ${PERSISTENT_MOUNT_SCRIPT}."; exit 1; } -# TODO: Symlinks mkdirs for certain programs etc. +# If there is a user mount script and mounting was successful, run it +if [ -n "$PERSISTENT_OK" -a -x "$PERSISTENT_MOUNT_USER_SCRIPT" ]; then + if which sudo 2> /dev/null; then + sudo -u "$PAM_USER" "$PERSISTENT_MOUNT_USER_SCRIPT" + else + su -l -c "$PERSISTENT_MOUNT_USER_SCRIPT" "$PAM_USER" + fi +fi + exit 0 + diff --git a/remote/targets/stage32/samba b/remote/targets/stage32/samba deleted file mode 120000 index c8dcfc0b..00000000 --- a/remote/targets/stage32/samba +++ /dev/null @@ -1 +0,0 @@ -../../modules/samba
\ No newline at end of file diff --git a/server/export_target b/server/export_target index ce262538..906c5cdc 100755 --- a/server/export_target +++ b/server/export_target @@ -50,7 +50,7 @@ sync_remote() { #TODO setup link to remote build directory, later this directory will be rsynced or exported to this server... mkdir -p "${SERVER_BUILD_DIR}" || perror "Could not create directory for local copy of remote system ($SERVER_BUILD_DIR)" - rsync -a --numeric-ids --delete -v -e "ssh -oStrictHostKeyChecking=no" "root@$REMOTE_IP:/export/build/*" "$SERVER_BUILD_DIR" + rsync -a --numeric-ids --delete -v -e "ssh -c arcfour -oStrictHostKeyChecking=no" "root@$REMOTE_IP:/export/build/*" "$SERVER_BUILD_DIR" local RET=$? if [ $RET -eq 0 ]; then pinfo "Syncing completed." diff --git a/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent b/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent index d8808f66..f6b71527 100644 --- a/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent +++ b/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent @@ -1,5 +1,5 @@ ################################################################### -# +# # This script is a part of the pam_script_ses_open script # and is not stand-alone! # @@ -9,26 +9,26 @@ # Only run this if the user is a student # These have a gid > 1000 -if [ $(id -g ${PAM_USER}) -ge 1000 ]; then +if ! grep -q "^${PAM_USER}:" "/etc/passwd"; then - # generate keytab - sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ - { slxlog "pam-freiburg-sslconnect" "Could not get /etc/kr5b.keytab from npserver.ruf.uni-freiburg.de"; exit 1; } + # generate keytab + sslconnect npserv.ruf.uni-freiburg.de:3 > /etc/krb5.keytab || \ + { slxlog "pam-freiburg-sslconnect" "Could not get /etc/kr5b.keytab from npserver.ruf.uni-freiburg.de"; exit 1; } - chmod 600 /etc/krb5.keytab || \ - { slxlog "pam-freiburg-keytab" "Could not run 'chmod 600 /etc/kr5b.keytab'"; exit 1; } + chmod 600 /etc/krb5.keytab || \ + { slxlog "pam-freiburg-keytab" "Could not run 'chmod 600 /etc/kr5b.keytab'"; exit 1; } - # determine fileserver and share for home directories - ldapsearch -x -LLL uid="${PAM_USER}" homeDirectory rufFileserver > "/tmp/ldapsearch.${PAM_USER}" || \ - { slxlog "pam-freiburg-ldapquery" "Could not query LDAP server for 'homeDirectory' and 'rufFileserver' parameters of user '${PAM_USER}'."; exit 1; } + # determine fileserver and share for home directories + ldapsearch -x -LLL uid="${PAM_USER}" homeDirectory rufFileserver > "/tmp/ldapsearch.${PAM_USER}" || \ + { slxlog "pam-freiburg-ldapquery" "Could not query LDAP server for 'homeDirectory' and 'rufFileserver' parameters of user '${PAM_USER}'."; exit 1; } - FILESERVER=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufFileserver | cut -d" " -f2) - VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep homeDirectory | cut -d" " -f2) + FILESERVER=$(cat /tmp/ldapsearch.${PAM_USER} | grep rufFileserver | cut -d" " -f2) + VOLUME=$(cat /tmp/ldapsearch.${PAM_USER} | grep homeDirectory | cut -d" " -f2) - [ -z "${FILESERVER}" ] && slxlog "pam-freiburg-ldapfs" "LDAP server did not provide 'rufFileserver'. Aborting mount for ${PAM_USER}." && exit 1 - [ -z "${VOLUME}" ] && slxlog "pam-freiburg-ldapvolume" "LDAP server did not provide 'homeDirectory'. Aborting mount for ${PAM_USER}." && exit 1 + [ -z "${FILESERVER}" ] && slxlog "pam-freiburg-ldapfs" "LDAP server did not provide 'rufFileserver'. Aborting mount for ${PAM_USER}." && exit 1 + [ -z "${VOLUME}" ] && slxlog "pam-freiburg-ldapvolume" "LDAP server did not provide 'homeDirectory'. Aborting mount for ${PAM_USER}." && exit 1 - # now we can mount the home directory! + # now we can mount the home directory! MOUNT_OPTS="-t nfs4 -o rw,nosuid,nodev,nolock,intr,hard,sloppy" if echo "$FILESERVER" | grep -q "sunfs6"; then @@ -46,10 +46,15 @@ if [ $(id -g ${PAM_USER}) -ge 1000 ]; then sleep "${COUNTER}" done - if [ -e "${SIGNAL}" ] || kill -9 "${MOUNT_PID}" 2>/dev/null; then + if [ -e "${SIGNAL}" ]; then slxlog "pam-freiburg" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' failed. (Args: ${MOUNT_OPTS})" "/tmp/home.$PAM_USER" rm -f -- "${SIGNAL}" + elif kill -9 "${MOUNT_PID}" 2>/dev/null; then + slxlog "pam-freiburg" "Mount of '${FILESERVER}:${VOLUME}' to '${PERSISTENT_HOME_DIR}' timed out. (Args: ${MOUNT_OPTS})" "/tmp/home.$PAM_USER" + else + PERSISTENT_OK=yes fi rm -f -- "/tmp/home.$PAM_USER" + fi diff --git a/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent_user b/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent_user new file mode 100644 index 00000000..579bc659 --- /dev/null +++ b/server/modules/pam-freiburg/opt/openslx/scripts/pam_script_mount_persistent_user @@ -0,0 +1,34 @@ +#!/bin/ash +# Called by pam_script_mount_persistent +# Run as the user that is opening a session + +# Persistent home was mounted, take care of some conveinience +# Dirs +for file in .vim .mozilla .config/chromium .config/htop .config/openslx; do + if [ "x$(dirname "$file")" != "x." ]; then + mkdir -p "$TEMP_HOME_DIR/$(dirname "$file")" + chown -R "$PAM_USER:$PAM_GROUP" "$TEMP_HOME_DIR/${file%%/*}" + fi + if [ ! -d "$PERSISTENT_HOME_DIR/$file" ]; then + mkdir -p "$PERSISTENT_HOME_DIR/$file" + chown -R "$PAM_USER:$PAM_GROUP" "$PERSISTENT_HOME_DIR/${file%%/*}" + fi + ln -s "$PERSISTENT_HOME_DIR/$file" "$TEMP_HOME_DIR/$file" +done +# Files +for file in .bashrc .profile .vimrc .gitconfig; do + if [ "x$(dirname "$file")" != "x." ]; then + mkdir -p "$TEMP_HOME_DIR/$(dirname "$file")" + chown -R "$PAM_USER:$PAM_GROUP" "$TEMP_HOME_DIR/${file%%/*}" + fi + if [ ! -d "$PERSISTENT_HOME_DIR/$file" ]; then + mkdir -p "$PERSISTENT_HOME_DIR/$file" + chown -R "$PAM_USER:$PAM_GROUP" "$PERSISTENT_HOME_DIR/${file%%/*}" + fi + ln -s "$PERSISTENT_HOME_DIR/$file" "$TEMP_HOME_DIR/$file" +done +# Check if user has autostart script and run it (so they can create more symlinks etc.) +if [ -x "$PERSISTENT_HOME_DIR/AUTOSTART" ]; then + "$PERSISTENT_HOME_DIR/AUTOSTART" +fi + diff --git a/server/modules/pam-offenburg/etc/pam-script/pam_script_ses_close b/server/modules/pam-offenburg/etc/pam-script/pam_script_ses_close deleted file mode 100755 index 347c4ab9..00000000 --- a/server/modules/pam-offenburg/etc/pam-script/pam_script_ses_close +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" - -umount "/home/users/$PAM_USER" - diff --git a/server/modules/pam-offenburg/etc/pam-script/pam_script_ses_open b/server/modules/pam-offenburg/etc/pam-script/pam_script_ses_open deleted file mode 100755 index c769a7c7..00000000 --- a/server/modules/pam-offenburg/etc/pam-script/pam_script_ses_open +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/bin:/opt/openslx/sbin:/opt/openslx/usr/bin:/opt/openslx/usr/sbin" - - -[ -n "$PAM_USER" ] && export loggedInUser="$PAM_USER" - -#create Folder on Desktop to link with H-Drive, if not already existent -if [ ! -d "/home/users/$loggedInUser" ]; then - mkdir -p "/home/users/$loggedInUser" -fi - - -#ask for username -#read -p "Benutzername: " username - - -#mount H-Drive -ncpmount -A "fs1-2-home.rz.hs-offenburg.de" -S "fs1-2-home.rz.hs-offenburg.de" -V "HOME/USERS/$loggedInUser" -U "$loggedInUser.HRZ.FHO" "/home/users/$loggedInUser" - - diff --git a/server/modules/pam-offenburg/etc/pam.d/common-session b/server/modules/pam-offenburg/etc/pam.d/common-session index 4c4a7e95..d79eec68 100644 --- a/server/modules/pam-offenburg/etc/pam.d/common-session +++ b/server/modules/pam-offenburg/etc/pam.d/common-session @@ -27,6 +27,7 @@ session required pam_permit.so session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_systemd.so +session optional pam_ck_connector.so nox11 session optional pam_env.so readenv=1 session optional pam_env.so readenv=1 envfile=/etc/default/locale session [success=1] pam_unix.so diff --git a/server/modules/pam-offenburg/opt/openslx/scripts/pam_script_mount_persistent b/server/modules/pam-offenburg/opt/openslx/scripts/pam_script_mount_persistent new file mode 100644 index 00000000..08d30195 --- /dev/null +++ b/server/modules/pam-offenburg/opt/openslx/scripts/pam_script_mount_persistent @@ -0,0 +1,55 @@ +################################################################### +# +# This script is a part of the pam_script_ses_open script +# and is not stand-alone! +# +# It will try to mount the home directories of students +# under /home/<user>/PERSISTENT using kerberos. +# + + +# Only consider users not in local user db +if ! grep -q "^${PAM_USER}:" /etc/passwd; then + + if [ -z "$PAM_USER" ]; then + # Ask for username + read -p "Benutzername: " loggedInUser + else + loggedInUser="$PAM_USER" + fi + + if [ -n "$PAM_AUTHTOK" ]; then + password="$PAM_AUTHTOK" + else + # No password from pam stack, ask user (if we're on a console) + if [ "x$PAM_TTY" = "xssh" ]; then + read -p "Passwort: " password + elif [ "x$(echo "$PAM_TTY" | cut -c 1-8)" = "x/dev/tty" ]; then + read -p "Passwort: " password + fi + fi + + if [ -n "$password" ]; then + # We know the user's password, so try to mount H-Drive + SIGNAL=$(mktemp) + ERRLOG=$(mktemp) + rm -f -- "${SIGNAL}" + ( ncpmount -A "fs1-2-home.rz.hs-offenburg.de" -S "fs1-2-home.rz.hs-offenburg.de" -V "HOME/USERS/$loggedInUser" -U "$loggedInUser.HRZ.FHO" -P "$password" "$PERSISTENT_HOME_DIR" > "$ERRLOG" 2>&1 || touch "$SIGNAL" ) & + MOUNT_PID=$! + for COUNTER in 1 1 2 3; do + kill -0 "$MOUNT_PID" || break + sleep "$COUNTER" + done + if [ -e "${SIGNAL}" ]; then # Signal file was created, so mount failed + slxlog "pam-offenburg" "Mount of 'HOME/USERS/$loggedInUser' to '$PERSISTENT_HOME_DIR' failed." "$ERRLOG" + elif kill -9 "${MOUNT_PID}" 2>/dev/null; then # ncpmount is still running, consider it failed and kill it + slxlog "pam-offenburg" "Mount of 'HOME/USERS/$loggedInUser' to '$PERSISTENT_HOME_DIR' timed out." "$ERRLOG" + else # mounting worked + chmod 777 "$PERSISTENT_HOME_DIR" + PERSISTENT_OK=yes + fi + rm -f -- "$SIGNAL" + rm -f -- "$ERRLOG" + fi +fi + |