Ubuntu – How to have pam_exec run the script as the current user

pamUbuntu

I need to run a script, when the session is opened, as the user who's opening the session.

I have added in /etc/pam.d/common-session :

session optional        pam_exec.so      log=/tmp/test_pam_foo.log /usr/local/bin/test_pam_foo.sh

I also tried to activate pam_exec's option seteuid

The basic script /usr/local/bin/test_pam_foo.sh :

#!/bin/sh
id -u >> /tmp/test_pam_foo
id -ru >> /tmp/test_pam_foo

Unfortunately, I get all the time 0 as the effective id and real id.

Am I missing something?

As alternative, I know the existence of pam_script, not to be confused with pam-script.

That pam_script runs by default as the current user and has the option runas to force to be run as root. But I'd like to privilege the use of pam libs that are already packaged in my distribution (Ubuntu 12.04).

Best Answer

Well, you can have /usr/local/bin/test_pam_foo.sh

change the user since it's in the PAM_USER environment variable.

Beware of the note in pam_exec man page about the user having potentially control on the environment (depending on what service uses it (like su)). So using a script is probably not a good idea there (even if you fix $PATH and other problematic variables, there will be some that you can't do anything about, like SHELLOPTS or BASH_ENV for bash scripts).

Best would be to use a wrapper changes the user before calling your script.

Related Solutions

Linux – What SELinux context should the script have to be ran by pam_exec

The order in which pam_exec and pam_selinux are invoked is important. Man page for pam_selinux notes:

Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications. To avoid that, pam_selinux.so open should be placed after such modules in the PAM stack, and pam_selinux.so close should be placed before them. When such a placement is not feasible, pam_selinux.so restore could be used to temporary restore original security contexts.

Similarly, Dan Walsh writes about the topic:

If you are going to add a pam_module that would exec commands that the user would not be allowed to execute, for example pam_mount, it should be added before the pam_selinux.so open command. If you are adding a pam_module that execs command a user could execute, then you probably want these after the pam_selinux.so open line.

Also note that your script currently has security context of user_home_t, which is not likely compatible with the default policy (file contexts are preserved when file is moved; if you created the file in your home directory moving the file will preserve the original context). You probably should use the default bin_t context. To restore the default context:

restorecon  /usr/local/bin/loginformer.py

If your script does not do anything too special, placing pam_exec before pam_selinux and restring the context should be enough to fix your issue.

Ssh – How to allow unauthenticated logins over ssh on FreeBSD

To allow unauthenticated login over SSH using PAM, all of the following must be configured:

The user account must have “no password” set. This is different from “empty password” and can be achieved with
```
pw usermod <user> -w none
```
In sshd_config, the following option must be set before UsePAM is set, otherwise the option is ignored:
```
PermitEmptyPasswords yes
```
In the PAM configuration file for sshd, the pam_unix module in the auth category must be loaded with the nullok option, e. g.
```
auth        required    pam_unix.so     no_warn try_first_pass nullok
```

Best Answer

Related Solutions

Linux – What SELinux context should the script have to be ran by pam_exec

Ssh – How to allow unauthenticated logins over ssh on FreeBSD

Related Question