1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
#! /bin/bash
# Copyright 2017 Cumulus Networks, Inc. All rights reserved
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# This script is invoked via pam_script.so for session close, to
# clean up the mapping setup on session open. The info is used
# in the libnss_mapuser getpwuid() entry point.
# auid is currently unused, but must match the uid of the mapped_user
# in the libnss_mapuser database for this to be valid
# For this to work, pam_loginuid.so must be used, so both the
# loginuid and the sessionid are unique values > 0
dbdir=/run/mapuser
mkdir -p $dbdir
read sess < /proc/$$/sessionid
read auid < /proc/$$/loginuid
# never map root user, or when loginuid isn't set, or when
# we aren't doing mapping (env variable not set)
if [ "$auid" -eq 0 ]; then exit 0; fi
# for debugging, if needed
#DEBUG logger -t mapuser $0 user=$PAM_USER pid=$$ session="$sess" auid="$auid"
if [ "$sess" -le 0 ] ; then
logger -t $0 sessionid not set, no mapuser cleanup for \
PID $$ user $PAM_USER
exit 0 # never trigger an error
fi
file=$dbdir/$sess
if [ -e $file ]; then
IFS='=
' read tag fauid <<< $(grep '^auid=' $file)
IFS='=
' read tag fsess <<< $(grep '^session=' $file)
# If info doesn't match, report it, and don't clean up
if [ "$auid" != "$fauid" -o "$sess" != "$fsess" ]; then
logger -t $0 "Session $sess mismatch auid $auid,$fauid session $sess,$fsess"
else
uid=$(id -u)
if [ "$uid" -ne 0 ]; then # shouldn't happen from pam_script
logger -t $0 called with UID=$uid, no cleanup
exit 0
fi
pids=( $(egrep -w $fsess /proc/[1-9]*/sessionid | \
sed -e 's,/proc/,,' -e 's,/.*,,') )
clean=1
for pid in ${pids[*]}; do
[ $pid -eq $$ ] && continue # skip ourselve
read cmd 2>/dev/null < /proc/$pid/comm # ignore exited egrep, sed
[ -z "$cmd" ] && continue # pid exited
msg="$msg PID $pid comm=$cmd"
case "$cmd" in
sshd|sudo|login|su|telnetd) ;;
*) clean=0 ; cleancmd="$cmd" ;;
esac
done
#DEBUG logger -t $0 sess=$fsess clean=$clean cmd=$cleancmd has $msg active
[ $clean -eq 1 ] && {
#DEBUG logger -t $0 cleanup session $fsess
rm -f $file
}
fi
fi
# always succeed, this should not cause sessions shutdown errors
exit 0
|