#! /bin/bash
# Copyright 2017 Cumulus Networks, Inc.  All rights reserved
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.


# This script is invoked via pam_script.so for session close, to
# clean up the mapping setup on session open.   The info is used
# in the libnss_mapuser getpwuid() entry point.

# auid is currently unused, but must match the uid of the mapped_user
# in the libnss_mapuser database for this to be valid

# For this to work, pam_loginuid.so must be used, so both the
# loginuid and the sessionid are unique values > 0

dbdir=/run/mapuser
mkdir -p $dbdir

read sess < /proc/$$/sessionid
read auid < /proc/$$/loginuid

# never map root user, or when loginuid isn't set, or when
# we aren't doing mapping (env variable not set)
if [ "$auid" -eq 0 ]; then exit 0; fi

# for debugging, if needed
#DEBUG logger -t mapuser $0 user=$PAM_USER pid=$$ session="$sess" auid="$auid"

if [ "$sess" -le 0 ] ; then
  logger -t $0 sessionid not set, no mapuser cleanup for \
    PID $$ user $PAM_USER
  exit 0 # never trigger an error
fi

file=$dbdir/$sess
if [ -e $file ]; then
   IFS='=
' read tag fauid <<< $(grep '^auid=' $file)
   IFS='=
' read tag fsess <<< $(grep '^session=' $file)
   # If info doesn't match, report it, and don't clean up
   if [ "$auid" != "$fauid" -o "$sess" != "$fsess" ]; then
     logger -t $0 "Session $sess mismatch auid $auid,$fauid session $sess,$fsess"
   else
     uid=$(id -u)
     if [ "$uid" -ne 0 ]; then # shouldn't happen from pam_script
       logger -t $0 called with UID=$uid, no cleanup
       exit 0
     fi
     pids=( $(egrep -w $fsess /proc/[1-9]*/sessionid | \
              sed -e 's,/proc/,,' -e 's,/.*,,') )
     clean=1
     for pid in ${pids[*]}; do
       [ $pid -eq $$ ] && continue # skip ourselve
       read cmd  2>/dev/null < /proc/$pid/comm # ignore exited egrep, sed
       [ -z "$cmd" ] && continue # pid exited
       msg="$msg PID $pid comm=$cmd"
       case "$cmd" in
         sshd|sudo|login|su|telnetd)  ;;
         *) clean=0 ; cleancmd="$cmd" ;;
       esac
     done
     #DEBUG logger -t $0 sess=$fsess clean=$clean cmd=$cleancmd has $msg active
     [ $clean -eq 1 ] && {
       #DEBUG logger -t $0 cleanup session $fsess
       rm -f $file
     }
   fi
fi

# always succeed, this should not cause sessions shutdown errors
exit 0