diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2017-06-22 16:42:21 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2017-06-22 16:50:34 -0700 |
| commit | c80f0d55431b4f373d1672b82a4dae46fef3865c (patch) | |
| tree | 9beef878028d5a3469569705ecac1117e9c2b1e0 | |
| parent | b58eeab9d1dadb0b715c150facef383f4ebd83e7 (diff) | |
| download | libnss-mapuser-c80f0d55431b4f373d1672b82a4dae46fef3865c.tar.gz libnss-mapuser-c80f0d55431b4f373d1672b82a4dae46fef3865c.zip | |
Removed mapfile cleanup workaround, implemented solution
We need to remove the mapping file for the session when it is closing
and the close script is called via pam_script, but not remove it when
the close is called from ending an sudo session, etc.
Check which processes are in the current session, and if any of them
are not one of sshd, sudo, login, su, or telnetd, then don't do the
cleanup (normally it will be a shell).
Cleanup won't happen if the user leaves jobs running when they logout
(e.g., via setsid), but that's fairly benign. Even with very long
system uptimes, these are small files, and will not be a significant
issue. At some future point, we might add garbage collection for
any session files found in the dbdir.
| -rwxr-xr-x | pam_script_ses_close | 47 |
1 files changed, 33 insertions, 14 deletions
diff --git a/pam_script_ses_close b/pam_script_ses_close index a806d2c..8340543 100755 --- a/pam_script_ses_close +++ b/pam_script_ses_close @@ -37,30 +37,49 @@ read auid < /proc/$$/loginuid if [ "$auid" -eq 0 ]; then exit 0; fi # for debugging, if needed -# logger -t mapuser $0 called with $PAM_USER pid=$$ session="$sess" auid="$auid" +#DEBUG logger -t mapuser $0 user=$PAM_USER pid=$$ session="$sess" auid="$auid" if [ "$sess" -le 0 ] ; then - logger -t $0 sessionid not set, no mapuser cleanup for \ - PID $$ user $PAM_USER - exit 0 # never trigger an error + logger -t $0 sessionid not set, no mapuser cleanup for \ + PID $$ user $PAM_USER + exit 0 # never trigger an error fi file=$dbdir/$sess -[ -e $file ] && { +if [ -e $file ]; then IFS='= ' read tag fauid <<< $(grep '^auid=' $file) IFS='= ' read tag fsess <<< $(grep '^session=' $file) - # If info doesn't match, report it, but clean up anyway. - [ "$auid" != "$fauid" -o "$sess" != "$fsess" ] && + # If info doesn't match, report it, and don't clean up + if [ "$auid" != "$fauid" -o "$sess" != "$fsess" ]; then logger -t $0 "Session $sess mismatch auid $auid,$fauid session $sess,$fsess" - - #OLSON rm -f $file - } - -# OLSON, probably need to gc all files on exit from any, because -# original PID is always gone, but we don't want to remove on exit -# from su, sudo, etc. + else + uid=$(id -u) + if [ "$uid" -ne 0 ]; then # shouldn't happen from pam_script + logger -t $0 called with UID=$uid, no cleanup + exit 0 + fi + pids=( $(egrep -w $fsess /proc/[1-9]*/sessionid | \ + sed -e 's,/proc/,,' -e 's,/.*,,') ) + clean=1 + for pid in ${pids[*]}; do + [ $pid -eq $$ ] && continue # skip ourselve + read cmd 2>/dev/null < /proc/$pid/comm # ignore exited egrep, sed + [ -z "$cmd" ] && continue # pid exited + msg="$msg PID $pid comm=$cmd" + case "$cmd" in + sshd|sudo|login|su|telnetd) ;; + *) clean=0 ; cleancmd="$cmd" ;; + esac + done + #DEBUG logger -t $0 sess=$fsess clean=$clean cmd=$cleancmd has $msg active + [ $clean -eq 1 ] && { + #DEBUG logger -t $0 cleanup session $fsess + rm -f $file + } + fi +fi # always succeed, this should not cause sessions shutdown errors exit 0 |