I need to run a script, when the session is opened, as the user who's opening the session.
I have added in /etc/pam.d/common-session :
session optional pam_exec.so log=/tmp/test_pam_foo.log /usr/local/bin/test_pam_foo.sh
I also tried to activate pam_exec's option seteuid
The basic script /usr/local/bin/test_pam_foo.sh :
#!/bin/sh
id -u >> /tmp/test_pam_foo
id -ru >> /tmp/test_pam_foo
Unfortunately, I get all the time 0
as the effective id and real id.
Am I missing something?
As alternative, I know the existence of pam_script, not to be confused with pam-script.
That pam_script runs by default as the current user and has the option runas
to force to be run as root. But I'd like to privilege the use of pam libs that are already packaged in my distribution (Ubuntu 12.04).
Best Answer
Well, you can have
/usr/local/bin/test_pam_foo.sh
change the user since it's in the
PAM_USER
environment variable.Beware of the note in
pam_exec
man page about the user having potentially control on the environment (depending on what service uses it (likesu
)). So using a script is probably not a good idea there (even if you fix$PATH
and other problematic variables, there will be some that you can't do anything about, like SHELLOPTS or BASH_ENV for bash scripts).Best would be to use a wrapper changes the user before calling your script.