#! /bin/bash # Copyright 2017 Cumulus Networks, Inc. All rights reserved # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # This script is invoked via pam_script.so for session open, used for mapping # RADIUS usernames to the mapped uid, for libnss_mapuser getpwuid() entry # point. # auid is currently unused, but must match the uid of the mapped_user # in the libnss_mapuser database for this to be valid # For this to work, pam_loginuid.so must be used, so both the # loginuid and the sessionid are unique values > 0 umask 022 # want everything world-readable. dbdir=/run/mapuser mkdir -p $dbdir read sess < /proc/$$/sessionid read auid < /proc/$$/loginuid # for debugging, if needed # logger -t mapuser $0 called with $PAM_USER pid=$$ session="$sess" auid="$auid" # never map root user, or when loginuid isn't set, or when # we aren't doing mapping (env variable not set) if [ "$auid" -eq 0 ]; then exit 0; fi # handle this one differently, since it means something is # configured wrong. if [ "$sess" -le 0 ] ; then logger -t $0 sessionid not set, no mapping possible for \ PID $$ user $PAM_USER exit 0 # still allow the session fi # if user's home directory doesn't exist, create it and populate # it with the standard skeleton files. hdir=$(eval echo ~$PAM_USER) [ -d "$hdir" ] || /sbin/mkhomedir_helper $PAM_USER # don't overwrite if it already exists. Happens when sudo or su # is run from an existing mapped session. [ -s $dbdir/$sess ] || \ date +"%FT%T.%N%nuser=$PAM_USER%npid=$$%nauid=$auid%nsession=$sess%nhome=$hdir" \ > $dbdir/$sess # always succeed, this should not block sessions on errors exit 0