diff options
| author | Dave Olson <olson@cumulusnetworks.com> | 2017-06-15 12:47:29 -0700 |
|---|---|---|
| committer | Dave Olson <olson@cumulusnetworks.com> | 2017-06-15 19:48:50 -0700 |
| commit | e3408e0814517e6ad898c525125cf62aad40d60b (patch) | |
| tree | d2e5f6eaca0ae5c2cfbce17024da7415743e0260 /pam_script_ses_open | |
| download | libnss-mapuser-e3408e0814517e6ad898c525125cf62aad40d60b.tar.gz libnss-mapuser-e3408e0814517e6ad898c525125cf62aad40d60b.zip | |
Initial version of libnss-mapuser package
See README for details
Diffstat (limited to 'pam_script_ses_open')
| -rwxr-xr-x | pam_script_ses_open | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/pam_script_ses_open b/pam_script_ses_open new file mode 100755 index 0000000..6bdf57e --- /dev/null +++ b/pam_script_ses_open @@ -0,0 +1,62 @@ +#! /bin/bash +# Copyright 2017 Cumulus Networks, Inc. All rights reserved +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + +# This script is invoked via pam_script.so for session open, used for mapping +# RADIUS usernames to the mapped uid, for libnss_mapuser getpwuid() entry +# point. + +# auid is currently unused, but must match the uid of the mapped_user +# in the libnss_mapuser database for this to be valid + +# For this to work, pam_loginuid.so must be used, so both the +# loginuid and the sessionid are unique values > 0 + +umask 022 # want everything world-readable. + +dbdir=/run/mapuser +mkdir -p $dbdir + +read sess < /proc/$$/sessionid +read auid < /proc/$$/loginuid + +# for debugging, if needed +# logger -t mapuser $0 called with $PAM_USER pid=$$ session="$sess" auid="$auid" + +# never map root user, or when loginuid isn't set, or when +# we aren't doing mapping (env variable not set) +if [ "$auid" -eq 0 ]; then exit 0; fi + +# handle this one differently, since it means something is +# configured wrong. +if [ "$sess" -le 0 ] ; then + logger -t $0 sessionid not set, no mapping possible for \ + PID $$ user $PAM_USER + exit 0 # still allow the session +fi + +# if user's home directory doesn't exist, create it and populate +# it with the standard skeleton files. +hdir=$(eval echo ~$PAM_USER) +[ -d "$hdir" ] || /sbin/mkhomedir_helper $PAM_USER + +date +"%FT%T.%N%nuser=$PAM_USER%npid=$$%nauid=$auid%nsession=$sess%nhome=$hdir" \ + > $dbdir/$sess + +# always succeed, this should not block sessions on errors +exit 0 + |