-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from cernops/first
Initial Version
- Loading branch information
Showing
6 changed files
with
197 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
CMakeCache.txt | ||
build | ||
CMakeFiles/ | ||
cmake_install.cmake | ||
pam_xdg_runtime_dir.so | ||
*.tar.gz | ||
*.tgz | ||
src/*.o |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
CC=gcc | ||
CFLAGS="-fPIC -fno-stack-protector" | ||
INSTALLDIR=/usr/lib64/security | ||
MANPATH=/usr/share/man | ||
|
||
all: pam_xdg_runtime_dir.so | ||
|
||
src/pam_xdg_runtime_dir.o: src/pam_xdg_runtime_dir.c | ||
gcc $(EXTRA_CFLAGS) -fPIC -fno-stack-protector -c src/pam_xdg_runtime_dir.c -o src/pam_xdg_runtime_dir.o | ||
|
||
pam_xdg_runtime_dir.so: src/pam_xdg_runtime_dir.o | ||
gcc $(EXTRA_CFLAGS) -shared -o pam_xdg_runtime_dir.so src/pam_xdg_runtime_dir.o -lpam -lselinux | ||
|
||
install: all | ||
install -d $(DESTDIR)$(INSTALLDIR) | ||
install -p -m 0755 pam_xdg_runtime_dir.so $(DESTDIR)/$(INSTALLDIR)/pam_xdg_runtime_dir.so | ||
install -d $(DESTDIR)$(MANPATH)/man8 | ||
install -p -m 0644 man/pam_xdg_runtime_dir.8 $(DESTDIR)$(MANPATH)/man8/pam_xdg_runtime_dir.8 | ||
|
||
clean: | ||
rm -rf build/ $(TARFILE) src/*.o *.so | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# pam_xdg_runtime_dir | ||
|
||
Pam module to create `/run/user/<uid>` directory. | ||
|
||
It is useful sometimes to create this directory before pam_systemd and systemd-logind create it. | ||
|
||
Enable pam module with | ||
|
||
``` | ||
session optional pam_xdg_runtime_dir.so debug | ||
``` | ||
|
||
added to the pam_stack. | ||
|
||
## Example Usecase | ||
|
||
Enable this pam module in `/etc/pam.d/sshd` before `pam_systemd` to create the directory and populate it with a | ||
kerberos credential. See the `pam_krb5_cc_move` pam module. | ||
|
||
## Links | ||
|
||
* https://gitlab.cern.ch/lxplus/pam_xdg_runtime_dir | ||
* https://gitlab.cern.ch/lxplus/pam_krb5_cc_move | ||
* https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
.TH PAM_XDG RUNTIME DIR 8 "January 2024" "Version 1.0.0" "PAM Module Manual" | ||
.SH NAME | ||
pam_xdg_runtime_dir \- PAM module for creating user session directories | ||
|
||
.SH SYNOPSIS | ||
.B pam_xdg_runtime_dir | ||
[\fIOPTIONS\fR] | ||
|
||
.SH DESCRIPTION | ||
The pam_xdg_runtime_dir PAM module is responsible for creating a directory /run/user/<UID> for the user during the session opening process. It sets the ownership of the directory based on the user's UID and GID. Optionally, it supports debug mode for additional logging. | ||
|
||
.SH OPTIONS | ||
.TP | ||
.B debug | ||
Enables debug mode, producing additional log messages. | ||
|
||
.SH RETURN VALUES | ||
.PP | ||
This module returns PAM_SUCCESS on success and PAM_SESSION_ERR on failure. | ||
|
||
.SH EXAMPLES | ||
.PP | ||
The following example shows how to configure pam_xdg_runtime_dir in the PAM configuration file: | ||
.BR session required pam_xdg_runtime_dir debug | ||
|
||
.SH SEE ALSO | ||
.PP | ||
\fBpam\fR(8), \fBpam.d\fR(8) | ||
|
||
.SH AUTHORS | ||
Written by Your Name <[email protected]> | ||
|
||
.SH REPORTING BUGS | ||
Report bugs to <[email protected]>. | ||
|
||
.SH COPYRIGHT | ||
Copyright © 2024 Your Organization. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | ||
|
||
.SH NOTES | ||
This manual page was written for the pam_xdg_runtime_dir module based on its behavior as of January 2024. Ensure that you consult the module's documentation for any updates or changes. | ||
|
||
.SH BUGS | ||
No known bugs. | ||
|
||
.SH VERSION | ||
This is pam_xdg_runtime_dir version 1.0.0. | ||
|
||
.SH DATE | ||
January 2024 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Just use for testing | ||
session optional pam_xdg_runtime_dir.so debug |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
#define PAM_SM_SESSION | ||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <unistd.h> | ||
#include <grp.h> | ||
#include <sys/types.h> | ||
#include <sys/stat.h> | ||
#include <sys/wait.h> | ||
#include <security/pam_appl.h> | ||
#include <security/pam_modules.h> | ||
#include <security/pam_ext.h> | ||
#include <pwd.h> | ||
#include <errno.h> | ||
#include <syslog.h> | ||
#include <string.h> | ||
#include <selinux/selinux.h> | ||
#include <selinux/restorecon.h> | ||
|
||
|
||
#define DEBUG_LOG_LEVEL LOG_DEBUG | ||
|
||
|
||
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { | ||
const char *pam_user; | ||
struct passwd *pwd; | ||
int ret; | ||
|
||
// Check for the debug option | ||
int debug = 0; | ||
for (int i = 0; i < argc; ++i) { | ||
if (strcmp(argv[i], "debug") == 0) { | ||
debug = 1; | ||
break; | ||
} | ||
} | ||
|
||
if (debug) { | ||
pam_syslog(pamh, DEBUG_LOG_LEVEL, "Debug mode enabled"); | ||
} | ||
|
||
// Get the PAM_USER (user being authenticated) | ||
ret = pam_get_user(pamh, &pam_user, NULL); | ||
if (ret != PAM_SUCCESS) { | ||
pam_syslog(pamh, LOG_ERR, "Error getting PAM_USER: %s", pam_strerror(pamh, ret)); | ||
return PAM_SESSION_ERR; | ||
} | ||
|
||
// Get user information using getpwnam | ||
pwd = getpwnam(pam_user); | ||
if (pwd == NULL) { | ||
pam_syslog(pamh, LOG_ERR, "Error getting user information for PAM_USER: %s", pam_user); | ||
return PAM_SESSION_ERR; | ||
} | ||
|
||
// Create the destination directory if it doesn't exist | ||
char dest_directory[128]; | ||
snprintf(dest_directory, sizeof(dest_directory), "/run/user/%d", pwd->pw_uid); | ||
|
||
struct stat st; | ||
if (stat(dest_directory, &st) != 0) { | ||
// Directory doesn't exist | ||
if (mkdir(dest_directory, 0700) != 0) { | ||
// Error creating the directory | ||
pam_syslog(pamh, LOG_ERR, "Error creating directory: %s - %s", dest_directory, strerror(errno)); | ||
return PAM_SESSION_ERR; | ||
} | ||
|
||
// Set the ownership of the directory | ||
ret = chown(dest_directory, pwd->pw_uid, pwd->pw_gid); | ||
if (ret != 0) { | ||
pam_syslog(pamh, LOG_ERR, "Error chowning directory: %s - %s", dest_directory, strerror(errno)); | ||
return PAM_SESSION_ERR; | ||
} | ||
|
||
selinux_restorecon(dest_directory, SELINUX_RESTORECON_XDEV); | ||
|
||
if (debug) { | ||
pam_syslog(pamh, DEBUG_LOG_LEVEL, "Destination directory created: %s", dest_directory); | ||
} | ||
} | ||
|
||
return PAM_SUCCESS; | ||
} | ||
|
||
|
||
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { | ||
// Perform any cleanup if necessary | ||
return PAM_SUCCESS; | ||
} | ||
|