Merge pull request #1 from cernops/first

Initial Version

.gitignore

@@ -0,0 +1,8 @@
+CMakeCache.txt
+build
+CMakeFiles/
+cmake_install.cmake
+pam_xdg_runtime_dir.so
+*.tar.gz
+*.tgz
+src/*.o

Makefile

@@ -0,0 +1,22 @@
+CC=gcc
+CFLAGS="-fPIC -fno-stack-protector"
+INSTALLDIR=/usr/lib64/security
+MANPATH=/usr/share/man
+
+all: pam_xdg_runtime_dir.so
+
+src/pam_xdg_runtime_dir.o: src/pam_xdg_runtime_dir.c
+	gcc $(EXTRA_CFLAGS) -fPIC -fno-stack-protector -c src/pam_xdg_runtime_dir.c -o src/pam_xdg_runtime_dir.o
+
+pam_xdg_runtime_dir.so: src/pam_xdg_runtime_dir.o
+	gcc $(EXTRA_CFLAGS) -shared -o pam_xdg_runtime_dir.so src/pam_xdg_runtime_dir.o -lpam -lselinux
+
+install: all
+	install -d $(DESTDIR)$(INSTALLDIR)
+	install -p -m 0755 pam_xdg_runtime_dir.so $(DESTDIR)/$(INSTALLDIR)/pam_xdg_runtime_dir.so 
+	install -d $(DESTDIR)$(MANPATH)/man8
+	install -p -m 0644 man/pam_xdg_runtime_dir.8 $(DESTDIR)$(MANPATH)/man8/pam_xdg_runtime_dir.8
+
+clean:
+	rm -rf build/ $(TARFILE) src/*.o *.so
+

README.md

@@ -0,0 +1,25 @@
+# pam_xdg_runtime_dir
+
+Pam module to create `/run/user/<uid>` directory.
+
+It is useful sometimes to create this directory before pam_systemd and systemd-logind create it.
+
+Enable pam module with 
+
+```
+session optional pam_xdg_runtime_dir.so debug
+```
+
+added to the pam_stack.
+
+## Example Usecase
+
+Enable this pam module in `/etc/pam.d/sshd` before `pam_systemd` to create the directory and populate it with a
+kerberos credential. See the  `pam_krb5_cc_move` pam module.
+
+## Links
+
+* https://gitlab.cern.ch/lxplus/pam_xdg_runtime_dir
+* https://gitlab.cern.ch/lxplus/pam_krb5_cc_move
+* https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
+

man/pam_xdg_runtime_dir.8

@@ -0,0 +1,50 @@
+.TH PAM_XDG RUNTIME DIR 8 "January 2024" "Version 1.0.0" "PAM Module Manual"
+.SH NAME
+pam_xdg_runtime_dir \- PAM module for creating user session directories
+
+.SH SYNOPSIS
+.B pam_xdg_runtime_dir
+[\fIOPTIONS\fR]
+
+.SH DESCRIPTION
+The pam_xdg_runtime_dir PAM module is responsible for creating a directory /run/user/<UID> for the user during the session opening process. It sets the ownership of the directory based on the user's UID and GID. Optionally, it supports debug mode for additional logging.
+
+.SH OPTIONS
+.TP
+.B debug
+Enables debug mode, producing additional log messages.
+
+.SH RETURN VALUES
+.PP
+This module returns PAM_SUCCESS on success and PAM_SESSION_ERR on failure.
+
+.SH EXAMPLES
+.PP
+The following example shows how to configure pam_xdg_runtime_dir in the PAM configuration file:
+.BR session required pam_xdg_runtime_dir debug
+
+.SH SEE ALSO
+.PP
+\fBpam\fR(8), \fBpam.d\fR(8)
+
+.SH AUTHORS
+Written by Your Name <[email protected]>
+
+.SH REPORTING BUGS
+Report bugs to <[email protected]>.
+
+.SH COPYRIGHT
+Copyright © 2024 Your Organization. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+.SH NOTES
+This manual page was written for the pam_xdg_runtime_dir module based on its behavior as of January 2024. Ensure that you consult the module's documentation for any updates or changes.
+
+.SH BUGS
+No known bugs.
+
+.SH VERSION
+This is pam_xdg_runtime_dir version 1.0.0.
+
+.SH DATE
+January 2024
+

pamtester/xdg_runtime_dir

@@ -0,0 +1,2 @@
+# Just use for testing
+session optional pam_xdg_runtime_dir.so debug

src/pam_xdg_runtime_dir.c

@@ -0,0 +1,90 @@
+#define PAM_SM_SESSION
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <grp.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_ext.h>
+#include <pwd.h>
+#include <errno.h>
+#include <syslog.h>
+#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/restorecon.h>
+
+
+#define DEBUG_LOG_LEVEL LOG_DEBUG
+
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    const char *pam_user;
+    struct passwd *pwd;
+    int ret;
+
+    // Check for the debug option
+    int debug = 0;
+    for (int i = 0; i < argc; ++i) {
+        if (strcmp(argv[i], "debug") == 0) {
+            debug = 1;
+            break;
+        }
+    }
+
+    if (debug) {
+        pam_syslog(pamh, DEBUG_LOG_LEVEL, "Debug mode enabled");
+    }
+
+    // Get the PAM_USER (user being authenticated)
+    ret = pam_get_user(pamh, &pam_user, NULL);
+    if (ret != PAM_SUCCESS) {
+        pam_syslog(pamh, LOG_ERR, "Error getting PAM_USER: %s", pam_strerror(pamh, ret));
+        return PAM_SESSION_ERR;
+    }
+
+    // Get user information using getpwnam
+    pwd = getpwnam(pam_user);
+    if (pwd == NULL) {
+        pam_syslog(pamh, LOG_ERR, "Error getting user information for PAM_USER: %s", pam_user);
+        return PAM_SESSION_ERR;
+    }
+
+    // Create the destination directory if it doesn't exist
+    char dest_directory[128];
+    snprintf(dest_directory, sizeof(dest_directory), "/run/user/%d", pwd->pw_uid);
+
+    struct stat st;
+    if (stat(dest_directory, &st) != 0) {
+        // Directory doesn't exist
+        if (mkdir(dest_directory, 0700) != 0) {
+            // Error creating the directory
+            pam_syslog(pamh, LOG_ERR, "Error creating directory: %s - %s", dest_directory, strerror(errno));
+            return PAM_SESSION_ERR;
+        }
+
+        // Set the ownership of the directory
+        ret = chown(dest_directory, pwd->pw_uid, pwd->pw_gid);
+        if (ret != 0) {
+            pam_syslog(pamh, LOG_ERR, "Error chowning directory: %s - %s", dest_directory, strerror(errno));
+            return PAM_SESSION_ERR;
+        }
+
+        selinux_restorecon(dest_directory, SELINUX_RESTORECON_XDEV);
+
+        if (debug) {
+            pam_syslog(pamh, DEBUG_LOG_LEVEL, "Destination directory created: %s", dest_directory);
+        }
+    }
+
+    return PAM_SUCCESS;
+}
+
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    // Perform any cleanup if necessary
+    return PAM_SUCCESS;
+}
+