r981 - trunk
tushar at linuxfromscratch.org
tushar at linuxfromscratch.org
Wed Aug 10 11:37:34 PDT 2005
Date: 2005-08-10 12:37:33 -0600 (Wed, 10 Aug 2005)
New Revision: 981
Updated Hint: restoresettingsatlogin
--- trunk/restoresettingsatlogin.txt 2005-08-08 03:00:16 UTC (rev 980)
+++ trunk/restoresettingsatlogin.txt 2005-08-10 18:37:33 UTC (rev 981)
@@ -17,7 +17,13 @@
This hint requires that you have sufficient knowledge of LINUX in general, and
PAM in particular.
+shadow-4.0.3 or shadow-188.8.131.52 (at this moment the latest).
+For the option runas=root to work, you'll need these.
+Other versions of shadow (184.108.40.206 and 4.0.7) are causing problems. In the
+code of login of these versions, root privileges are dropped too early
+(before the pam_close_session call).
1. Storing and retrieving settings on network
@@ -108,10 +114,15 @@
- the pam_script.so uses some parameters. All of them are described in the README in the
-source directory. One of them, runas, when used as runas=root does not work for me. When
-closing a session, the onsessionclose script is executed with the privileges of the user who
-is logging out. Changing the uid to 0 gives errors.
+source directory. One of them, runas, when used as runas=root did not work for me. It appears
+that it's the login command - part of the shadow package - is causing the problems.
+Shadow-220.127.116.11 works fine.
+- the option run-as=root can be very insecure. The way I describe here arbitrary scripts
+in the homedirectory of an user are executed at login and logout as root. And that's not
+what you want, right! I'm thinking about a way to make it more secure. Any hints are
- when logging out using the normal console, the service is 'login'. Login did not call
all the modules. I had to add a new parameter to the /etc/login.defs :
@@ -123,6 +134,8 @@
2.3 Creating the session scripts
@@ -170,7 +183,7 @@
nrusers=$(w -h $userid | wc -l );
-if [ "$nrusers" = "1" ]; then
+if [ $nrusers -eq 1 ]; then
# This is the last session for this user
@@ -200,10 +213,13 @@
they inherit the faults. 'w' does some extra checking, which makes it more
usable. Anyone knowing a better way to determine how many times a user is logged
in, please let me know.
+- the command "w" is used to determine the user is already logged is at login or
+the this is the last session at logout. Note that the number of sessions is zero
+when logging in: the user is still not logged in. It's one when logging out:
+until pam hasn't completed everything the current user is still logged in.
2.4 Creating shellscripts for doing the actual storing and retrieving.
@@ -270,12 +286,12 @@
Obvious, you don't want that there are still files on the server, which are not
there (anymore?) on the workstation.
--Storing settings on a central server can become very complicated when one user is
+- Storing settings on a central server can become very complicated when one user is
logged on more than one machine at the same time. There is now way to
'merge' the settings. The setting saved at the last logout are the ones which
will remain on the server. Windows uses the same strategy.
--These scripts are for the settings of kde. But this is just an example.
+- These scripts are for the settings of kde. But this is just an example.
You can put any scrtipt ( with the .sh extension )
in this directory. The bookmarks of Firefox for example. Other things like creating
files or mounting shares are also possible.
@@ -309,15 +325,22 @@
* added the --delete flag to the rsync commando at logout.
* added the -u flag when getting the settings at login.
* added more comment on saving and restoring settings in a mutiuser/multihost (wow!)
* Use the command 'w' to determine how many times a user is logged in on the
system in stead of 'last'.
* Correction of some phrases: incorrect English.
+ * added some comment about the version of shadow to use. Some versions caused
+ * corrected some typos.
+ * added some comment about the option runas=root which can be very insecure
* authentication of users
- * find out why runas=root does not work with pam_script at logout for me
* look for some way to show information about progres and/or errors when executing
the scripts when using a graphical login. xconsole?
+ * find out why runas=root does not work with pam_script at logout for me
More information about the hints