diff options
Diffstat (limited to 'pam_script_ses_close')
-rwxr-xr-x | pam_script_ses_close | 85 |
1 files changed, 0 insertions, 85 deletions
diff --git a/pam_script_ses_close b/pam_script_ses_close deleted file mode 100755 index 8340543..0000000 --- a/pam_script_ses_close +++ /dev/null @@ -1,85 +0,0 @@ -#! /bin/bash -# Copyright 2017 Cumulus Networks, Inc. All rights reserved -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - - -# This script is invoked via pam_script.so for session close, to -# clean up the mapping setup on session open. The info is used -# in the libnss_mapuser getpwuid() entry point. - -# auid is currently unused, but must match the uid of the mapped_user -# in the libnss_mapuser database for this to be valid - -# For this to work, pam_loginuid.so must be used, so both the -# loginuid and the sessionid are unique values > 0 - -dbdir=/run/mapuser -mkdir -p $dbdir - -read sess < /proc/$$/sessionid -read auid < /proc/$$/loginuid - -# never map root user, or when loginuid isn't set, or when -# we aren't doing mapping (env variable not set) -if [ "$auid" -eq 0 ]; then exit 0; fi - -# for debugging, if needed -#DEBUG logger -t mapuser $0 user=$PAM_USER pid=$$ session="$sess" auid="$auid" - -if [ "$sess" -le 0 ] ; then - logger -t $0 sessionid not set, no mapuser cleanup for \ - PID $$ user $PAM_USER - exit 0 # never trigger an error -fi - -file=$dbdir/$sess -if [ -e $file ]; then - IFS='= -' read tag fauid <<< $(grep '^auid=' $file) - IFS='= -' read tag fsess <<< $(grep '^session=' $file) - # If info doesn't match, report it, and don't clean up - if [ "$auid" != "$fauid" -o "$sess" != "$fsess" ]; then - logger -t $0 "Session $sess mismatch auid $auid,$fauid session $sess,$fsess" - else - uid=$(id -u) - if [ "$uid" -ne 0 ]; then # shouldn't happen from pam_script - logger -t $0 called with UID=$uid, no cleanup - exit 0 - fi - pids=( $(egrep -w $fsess /proc/[1-9]*/sessionid | \ - sed -e 's,/proc/,,' -e 's,/.*,,') ) - clean=1 - for pid in ${pids[*]}; do - [ $pid -eq $$ ] && continue # skip ourselve - read cmd 2>/dev/null < /proc/$pid/comm # ignore exited egrep, sed - [ -z "$cmd" ] && continue # pid exited - msg="$msg PID $pid comm=$cmd" - case "$cmd" in - sshd|sudo|login|su|telnetd) ;; - *) clean=0 ; cleancmd="$cmd" ;; - esac - done - #DEBUG logger -t $0 sess=$fsess clean=$clean cmd=$cleancmd has $msg active - [ $clean -eq 1 ] && { - #DEBUG logger -t $0 cleanup session $fsess - rm -f $file - } - fi -fi - -# always succeed, this should not cause sessions shutdown errors -exit 0 |