1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
#! /bin/bash
# Copyright 2017 Cumulus Networks, Inc. All rights reserved
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
# This script is invoked via pam_script.so for session open, used for mapping
# RADIUS usernames to the mapped uid, for libnss_mapuser getpwuid() entry
# point.
# auid is currently unused, but must match the uid of the mapped_user
# in the libnss_mapuser database for this to be valid
# For this to work, pam_loginuid.so must be used, so both the
# loginuid and the sessionid are unique values > 0
umask 022 # want everything world-readable.
dbdir=/run/mapuser
mkdir -p $dbdir
read sess < /proc/$$/sessionid
read auid < /proc/$$/loginuid
# for debugging, if needed
# logger -t mapuser $0 called with $PAM_USER pid=$$ session="$sess" auid="$auid"
# never map root user, or when loginuid isn't set, or when
# we aren't doing mapping (env variable not set)
if [ "$auid" -eq 0 ]; then exit 0; fi
# handle this one differently, since it means something is
# configured wrong.
if [ "$sess" -le 0 ] ; then
logger -t $0 sessionid not set, no mapping possible for \
PID $$ user $PAM_USER
exit 0 # still allow the session
fi
# if user's home directory doesn't exist, create it and populate
# it with the standard skeleton files.
hdir=$(eval echo ~$PAM_USER)
[ -d "$hdir" ] || /sbin/mkhomedir_helper $PAM_USER
# don't overwrite if it already exists. Happens when sudo or su
# is run from an existing mapped session.
[ -s $dbdir/$sess ] || \
date +"%FT%T.%N%nuser=$PAM_USER%npid=$$%nauid=$auid%nsession=$sess%nhome=$hdir" \
> $dbdir/$sess
# always succeed, this should not block sessions on errors
exit 0
|
