r969 - trunk

archaic at linuxfromscratch.org archaic at linuxfromscratch.org
Tue Jul 19 09:13:23 PDT 2005


Author: archaic
Date: 2005-07-19 10:13:22 -0600 (Tue, 19 Jul 2005)
New Revision: 969

Added:
   trunk/restoresettingsatlogin.txt
Log:
Added restoresettingsatlogin.txt.

Added: trunk/restoresettingsatlogin.txt
===================================================================
--- trunk/restoresettingsatlogin.txt	2005-07-14 19:11:13 UTC (rev 968)
+++ trunk/restoresettingsatlogin.txt	2005-07-19 16:13:22 UTC (rev 969)
@@ -0,0 +1,278 @@
+AUTHOR: Stef Bon <stef at bononline dot nl>
+
+DATE: 2005-07-18
+
+LICENSE: GNU Free Documentation License Version 1.2
+
+SYNOPSIS: Storing and retrieving settings per user at login and logout using PAM.
+
+DESCRIPTION:
+Somehow I always missed the possibity to store and retrieve my settings on/from a central
+network host for Linux, like 'roamingprofiles' for the Windows 95/98/w2k/xp systems have. 
+Here is described a way to do that. 
+
+ATTACHMENTS:
+
+
+PREREQUISITES:
+This hint requires that you have sufficient knowledge of LINUX in general, and 
+PAM in particular.
+
+HINT:
+
+1. Storing and retrieving settings on network
+---------------------------------------------
+
+When using a modern Linux system, you can use your account on more 
+systems to login. This is possible when LDAP, nss-ldap and pam-ldap.
+But every machine has it's own settings, so you can't take your settings with 
+you, just like "roamingprofiles".
+
+When looking at PAM for Linux, it has the ability to use a loadable plugin, which will
+take care for retrieving settings from a central network host when a session opens, 
+and storing the same settings to the same host when a sessions closes.
+
+This is not possible for a standard PAM installation. There is no standard pam modules
+which will execute scripts in general.  But there is a module, developed seperately, 
+pam_script, which will do this.
+
+An example of a script using the rsync program to store settings for kde is here. 
+
+
+2. Installing the software
+--------------------------
+
+
+
+2.1 pam_script
+--------------
+
+
+Get the module pam_script from http://freshmeat.net/projects/pam_script. 
+I'm using version 0.1.2.
+
+unpack:
+
+tar -xzf pam-script-*.tar.gz
+
+compile and move to the proper place:
+
+cd pam-script-*
+
+make
+mv pam_script.so /lib/security
+chown root:root /lib/security/pam_script.so
+chmod 755 /lib/security/pam_script.so
+
+
+2.2 Adjusting pam configuration
+-------------------------------
+
+
+Adjusting the /etc/pam.d/login file:
+
+-- snip --
+
+session		optional	pam_mail.so dir=/var/mail noenv close empty
+session		optional	pam_motd.so
+session		required	pam_unix.so
+session		required	pam_script.so
+
+When using other ways for users to login than the standard, like a X-based login as kdm,
+adjust them the same way. On my machine I login frequently in with kdm, and that uses the 
+kde-service, which is a symlink to the login-service:
+
+cd /etc/pam.d/security
+
+ls -al
+
+drwxr-xr-x   2 root root  392 2005-07-11 13:59 .
+drwxr-xr-x  36 root root 3152 2005-07-19 14:09 ..
+-rw-r--r--   1 root root  253 2004-05-12 16:06 chage
+-rw-r--r--   1 root root   69 2005-01-12 00:20 cups
+-rw-r--r--   1 root root  330 2005-01-19 10:00 fcron
+-rw-r--r--   1 root root  506 2004-12-22 23:04 fcrontab
+lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde -> login
+lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde-np -> login
+-rw-r--r--   1 root root  931 2005-07-19 13:20 login
+-rw-r--r--   1 root root  305 2005-07-16 22:46 other
+-rw-r--r--   1 root root  282 2003-08-13 18:22 passwd
+-rw-r--r--   1 root root  411 2003-08-12 17:53 shadow
+-rw-r--r--   1 root root  448 2005-07-18 10:18 su
+-rw-r--r--   1 8036 root  666 2005-02-28 12:59 sudo
+-rw-r--r--   1 root root  257 2004-05-12 16:05 useradd
+-rw-r--r--   1 root root  200 2005-04-25 09:05 xscreensaver
+
+
+Notes:
+- the pam_script.so uses some parameters. All of them are described in the README in the
+source directory. One of them, runas, when used as runas=root does not work for me. When
+closing a session, the onsessionclose script is executed with the privileges of the user who
+is logging out. Changing the uid to 0 gives errors.
+- when logging out using the normal console, the service is 'login'. Login did not call
+all the modules. I had to add a new parameter to the /etc/login.defs :
+
+CLOSE_SESSIONS        yes
+
+
+
+2.3 Creating the session scripts
+--------------------------------
+
+
+The pam_script works with two standard scripts, onsessionopen and onsessionclose in the
+/etc/security directory. 
+	
+cat >> /etc/security/onsessionopen << "EOF"
+#!/bin/bash
+
+userid=$1
+service=$2
+homedir=$(getent passwd | grep -E "^$userid" | cut -d ":" -f 6);
+
+nrusers=$(last -f /var/run/utmp $userid | grep -w "still logged in" | wc -l );
+
+
+if [ "$nrusers" = "0" ]; then
+
+    # There are no other pending sessions for this user
+
+    if [ -d $homedir/.sync4settings ]; then
+
+	for script in $homedir/.sync4settings/login/*.sh ; do
+	    if [ -x $script ] ; then
+		. $script
+	    fi;
+	done;
+	
+    fi;	
+
+fi;
+
+EOF
+
+
+
+cat >> /etc/security/onsessionclose << "EOF"
+#!/bin/bash
+
+userid=$1
+service=$2
+homedir=$(getent passwd | grep -E "^$userid" | cut -d ":" -f 6);
+
+nrusers=$(last -f /var/run/utmp $userid | grep -w "still logged in" | wc -l );
+
+
+if [ "$nrusers" = "1" ]; then
+
+    # This is the last session for this user
+
+    if [ -d $homedir/.sync4settings ]; then
+
+	for script in $homedir/.sync4settings/logout/*.sh ; do
+	    if [ -x $script ] ; then
+		. $script
+	    fi;
+	done;
+	
+    fi;	
+
+fi;
+
+EOF
+
+chown root:root /etc/security/onsession*
+chmod 755 /etc/security/onsession*
+
+
+Note:
+-  as you can see I use the command "last" to determine the users logged in. Other utilities
+as who, users gave not reliable information. I looks as if the utmp file is not always presenting 
+the right values. Utilities as who and users show information from utmp without any check, so 
+they inherit the faults. 'last' does some extra checking, which makes it more usable.
+Anyone knowing a better way to determine the amount of session for a user, please let me know.
+
+
+
+
+2.4 Creating shellscripts for doing the actual storing and retrieving.
+----------------------------------------------------------------------
+
+
+Now as user sbon, in the homedirectory, create the correct directories:
+
+cd ~
+mkdir -p .sync4profile/login
+mkdir -p .sync4profile/logout
+
+cd .sync4profile/login
+
+cat >> kde.sh << "EOF"
+#!/bin/bash
+
+connectionpossible=$(rsync 192.168.0.3::sbon | grep "error" );
+
+if [ -z "$connectionpossible" ]; then
+
+    thereisarchive=$(rsync 192.168.0.3::sbon/.kde | grep -w ".kde");
+
+    if [ -n "$thereisarchive" ]; then
+	
+	#
+	# no error found
+	#
+
+	rsync -rptgoz 192.168.0.3::sbon/.kde/ /home/sbon/.kde
+
+    fi;
+fi;
+
+EOF
+
+And the logout script:
+
+cat >> kde.sh << "EOF"
+#!/bin/bash
+
+if [ -d /home/sbon/.kde ]; then
+
+    connectionpossible=$(rsync 192.168.0.3::sbon | grep "error" );
+
+    if [ -z "$connectionpossible" ]; then
+	#
+	# no error found
+	#
+
+	rsync -rptgoz  /home/sbon/.kde 192.168.0.3::sbon
+    fi;	
+
+fi;
+
+EOF
+
+These scripts are for the settings of kde. But this is just an example.
+You can put any scrtipt ( with the .sh extension )
+in this directory. The bookmarks of Firefox for example. Other things as creating 
+files or mounting shares is also possible.
+
+The rsyncserver is hosted at 192.168.0.3, with a share [sbon]. This share
+can be accessed without credentials: public access. This is not so simple.
+The rsyncdaemon does not support pam yet. Could work is shell for transport 
+is ssh. Work to be done.
+
+As you can see I use the rsync algoritm, but you can use also a
+ftp server with write-access. The big advantage of rsync however 
+is the efficient way it handles changes.
+
+This way it looks at the way Windows workstations handle settings: 
+when there is a [profiles] share, the server support "roamingprofiles".
+I think the way the saving en getting the "profile" works like rsync.
+
+
+
+ACKNOWLEDGEMENTS:
+Thanks to the author of pam_script, Izak Burger.
+
+CHANGELOG:
+[2005-07-18]
+  * Initial hint.




More information about the hints mailing list