r981 - trunk

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Wed Aug 10 11:37:34 PDT 2005


Author: tushar
Date: 2005-08-10 12:37:33 -0600 (Wed, 10 Aug 2005)
New Revision: 981

Modified:
   trunk/restoresettingsatlogin.txt
Log:
Updated Hint: restoresettingsatlogin

Modified: trunk/restoresettingsatlogin.txt
===================================================================
--- trunk/restoresettingsatlogin.txt	2005-08-08 03:00:16 UTC (rev 980)
+++ trunk/restoresettingsatlogin.txt	2005-08-10 18:37:33 UTC (rev 981)
@@ -17,7 +17,13 @@
 PREREQUISITES:
 This hint requires that you have sufficient knowledge of LINUX in general, and 
 PAM in particular.
+shadow-4.0.3 or shadow-4.0.11.1 (at this moment the latest). 
+For the option runas=root to work, you'll need these. 
+Other versions of shadow (4.0.4.1 and 4.0.7) are causing problems. In the 
+code of login of these versions, root privileges are dropped too early 
+(before the pam_close_session call).
 
+
 HINT:
 
 1. Storing and retrieving settings on network
@@ -108,10 +114,15 @@
 Notes:
 
 - the pam_script.so uses some parameters. All of them are described in the README in the
-source directory. One of them, runas, when used as runas=root does not work for me. When
-closing a session, the onsessionclose script is executed with the privileges of the user who
-is logging out. Changing the uid to 0 gives errors.
+source directory. One of them, runas, when used as runas=root did not work for me. It appears
+that it's the login command - part of the shadow package - is causing the problems. 
+Shadow-4.0.11.1 works fine.
 
+- the option run-as=root can be very insecure. The way I describe here arbitrary scripts 
+in the homedirectory of an user are executed at login and logout as root. And that's not 
+what you want, right! I'm thinking about a way to make it more secure. Any hints are
+welcome.
+
 - when logging out using the normal console, the service is 'login'. Login did not call
 all the modules. I had to add a new parameter to the /etc/login.defs :
 
@@ -123,6 +134,8 @@
 
 
 
+
+
 2.3 Creating the session scripts
 --------------------------------
 
@@ -170,7 +183,7 @@
 nrusers=$(w -h $userid | wc -l );
 
 
-if [ "$nrusers" = "1" ]; then
+if [ $nrusers -eq 1 ]; then
 
     # This is the last session for this user
 
@@ -200,10 +213,13 @@
 they inherit the faults. 'w' does some extra checking, which makes it more 
 usable. Anyone knowing a better way to determine how many times a user is logged 
 in, please let me know.
+- the command "w" is used to determine the user is already logged is at login or
+the this is the last session at logout. Note that the number of sessions is zero 
+when logging in: the user is still not logged in. It's one when logging out: 
+until pam hasn't completed everything the current user is still logged in.
 
 
 
-
 2.4 Creating shellscripts for doing the actual storing and retrieving.
 ----------------------------------------------------------------------
 
@@ -270,12 +286,12 @@
 Obvious, you don't want that there are still files on the server, which are not 
 there (anymore?) on the workstation.
 
--Storing settings on a central server can become very complicated when one user is 
+- Storing settings on a central server can become very complicated when one user is 
 logged on more than one machine at the same time. There is now way to 
 'merge' the settings. The setting saved at the last logout are the ones which 
 will remain on the server. Windows uses the same strategy.
 
--These scripts are for the settings of kde. But this is just an example.
+- These scripts are for the settings of kde. But this is just an example.
 You can put any scrtipt ( with the .sh extension )
 in this directory. The bookmarks of Firefox for example. Other things like creating 
 files or mounting shares are also possible.
@@ -309,15 +325,22 @@
   * added the --delete flag to the rsync commando at logout. 
   * added the -u flag when getting the settings at login. 
   * added more comment on saving and restoring settings in a mutiuser/multihost (wow!)
-    envionment.
+    environment.
 [2005-07-27]
   * Use the command 'w' to determine how many times a user is logged in on the
     system in stead of 'last'.
   * Correction of some phrases: incorrect English. 
+[2005-08-10]
+  * added some comment about the version of shadow to use. Some versions caused
+    problems.
+  * corrected some typos.
+  * added some comment about the option runas=root which can be very insecure     
 
 TODO:
 
   * authentication of users
-  * find out why runas=root does not work with pam_script at logout for me
   * look for some way to show information about progres and/or errors when executing
     the scripts when using a graphical login. xconsole?
+
+DONE:
+  * find out why runas=root does not work with pam_script at logout for me




More information about the hints mailing list