1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
#! /bin/bash
# Copyright 2017 Cumulus Networks, Inc. All rights reserved
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# This script is invoked via pam_script.so for session close, to
# clean up the mapping setup on session open. The info is used
# in the libnss_mapuser getpwuid() entry point.
# auid is currently unused, but must match the uid of the mapped_user
# in the libnss_mapuser database for this to be valid
# For this to work, pam_loginuid.so must be used, so both the
# loginuid and the sessionid are unique values > 0
dbdir=/run/mapuser
mkdir -p $dbdir
read sess < /proc/$$/sessionid
read auid < /proc/$$/loginuid
# never map root user, or when loginuid isn't set, or when
# we aren't doing mapping (env variable not set)
if [ "$auid" -eq 0 ]; then exit 0; fi
# for debugging, if needed
# logger -t mapuser $0 called with $PAM_USER pid=$$ session="$sess" auid="$auid"
if [ "$sess" -le 0 ] ; then
logger -t $0 sessionid not set, no mapuser cleanup for \
PID $$ user $PAM_USER
exit 0 # never trigger an error
fi
file=$dbdir/$sess
[ -e $file ] && {
IFS='=
' read tag fauid <<< $(grep '^auid=' $file)
IFS='=
' read tag fsess <<< $(grep '^session=' $file)
# If info doesn't match, report it, but clean up anyway.
[ "$auid" != "$fauid" -o "$sess" != "$fsess" ] &&
logger -t $0 "Session $sess mismatch auid $auid,$fauid session $sess,$fsess"
#OLSON rm -f $file
}
# OLSON, probably need to gc all files on exit from any, because
# original PID is always gone, but we don't want to remove on exit
# from su, sudo, etc.
# always succeed, this should not cause sessions shutdown errors
exit 0
|
