r991 - trunk

tushar at linuxfromscratch.org tushar at linuxfromscratch.org
Tue Oct 4 21:51:00 PDT 2005


Author: tushar
Date: 2005-10-04 22:50:59 -0600 (Tue, 04 Oct 2005)
New Revision: 991

Added:
   trunk/execute-session-scripts-using-pam.txt
Removed:
   trunk/restoresettingsatlogin.txt
Log:
Updated Hint restoresettingsatlogin and renamed it to execute-session-scripts-using-pam

Added: trunk/execute-session-scripts-using-pam.txt
===================================================================
--- trunk/execute-session-scripts-using-pam.txt	2005-10-05 04:47:29 UTC (rev 990)
+++ trunk/execute-session-scripts-using-pam.txt	2005-10-05 04:50:59 UTC (rev 991)
@@ -0,0 +1,819 @@
+AUTHOR: Stef Bon <stef at bononline dot nl>
+
+DATE: 2005-10-04
+
+LICENSE: GNU Free Documentation License Version 1.2
+
+SYNOPSIS: Execute scripts at begin and end of a usersession using PAM with some examples like dbus.
+
+DESCRIPTION:
+This hint is about the ability to execute scripts when a session for a user starts, 
+and when it ends. 
+
+I started to when I was looking for a sollution to store my kde settings on a central 
+computer. Later I discovered that scripts for other purposes are possible.
+
+It works via pam. I know this can be done via 
+the scripts in the profile.d directory which are executed when a shell starts, 
+but pam is in my opinion the best place to this. 
+
+ATTACHMENTS:
+
+
+PREREQUISITES:
+This hint requires that you have sufficient knowledge of LINUX in general, and 
+PAM in particular.
+shadow-4.0.3 or shadow-4.0.11.1 or 4.0.12 (at this moment the latest). 
+For the option runas=root to work, you'll need these. 
+Other versions of shadow (4.0.4.1 and 4.0.7) are causing problems. In the 
+code of login of these versions, root privileges are dropped too early 
+(before the pam_close_session call).
+
+
+HINT:
+
+1. Use scripts at begin and end of a session: introduction
+-----------------------------------------------------------------------------
+
+When using modern Linux systems, you can use your account on more 
+systems to login. This is possible with LDAP, nss-ldap and pam-ldap.
+But every machine has it's own settings for kde for example, so you can't 
+take your settings with you, just like "roamingprofiles".
+
+I started to look for a sollution to solve this, and with PAM and a module pam_script,
+this was possible.
+
+When looking at PAM for Linux, it has the ability to use a loadable plugin, which will 
+take care for retrieving settings from a central network host when a session opens, 
+and storing the same settings to the same host when a sessions closes.
+
+This is not possible for a standard PAM installation. There is no standard pam module
+which will execute scripts in general.  But there is a module, developed seperately, 
+pam_script, which will do this.
+
+Later I discovered that I could use this construction for more purposes:
+- browsing the network using FUSE, fusesmb and pam_storepw. 
+- start dbus-launcher per session/user and make environmentvariables available 
+
+
+
+2. Installing the software
+--------------------------
+
+
+2.1 pam_script
+--------------
+
+
+Get the module pam_script from http://freshmeat.net/projects/pam_script. 
+I'm using version 0.1.3.
+
+unpack:
+
+tar -xzf pam-script-*.tar.gz
+
+compile and move to the proper place:
+
+cd pam-script-*
+
+make
+mv pam_script.so /lib/security
+chown root:root /lib/security/pam_script.so
+chmod 755 /lib/security/pam_script.so
+
+
+2.2 Adjusting pam configuration
+-------------------------------
+
+
+Adjusting the /etc/pam.d/login file:
+
+-- snip --
+
+session		optional	pam_mail.so dir=/var/mail noenv close empty
+session		optional	pam_motd.so
+session		required	pam_unix.so
+session		required	pam_script.so runas=root
+
+When using other ways for users to login than the standard, like a X-based login as kdm,
+adjust them the same way. On my machine I login frequently in with kdm, and that uses the 
+kde-service, which is a symlink to the login-service:
+
+cd /etc/pam.d
+
+ls -al
+
+drwxr-xr-x   2 root root  392 2005-07-11 13:59 .
+drwxr-xr-x  36 root root 3152 2005-07-19 14:09 ..
+-rw-r--r--   1 root root  253 2004-05-12 16:06 chage
+-rw-r--r--   1 root root   69 2005-01-12 00:20 cups
+-rw-r--r--   1 root root  330 2005-01-19 10:00 fcron
+-rw-r--r--   1 root root  506 2004-12-22 23:04 fcrontab
+lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde -> login
+lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde-np -> login
+-rw-r--r--   1 root root  931 2005-07-19 13:20 login
+-rw-r--r--   1 root root  305 2005-07-16 22:46 other
+-rw-r--r--   1 root root  282 2003-08-13 18:22 passwd
+-rw-r--r--   1 root root  411 2003-08-12 17:53 shadow
+-rw-r--r--   1 root root  448 2005-07-18 10:18 su
+-rw-r--r--   1 root root  666 2005-02-28 12:59 sudo
+-rw-r--r--   1 root root  257 2004-05-12 16:05 useradd
+-rw-r--r--   1 root root  200 2005-04-25 09:05 xscreensaver
+
+
+
+Notes:
+
+- the pam_script.so uses some parameters. All of them are described in the README in the
+source directory. One of them, runas, when used as runas=root did not work for me. It appears
+that it's the login command - part of the shadow package - is causing the problems. 
+Shadow-4.0.11.1 and later work fine.
+
+- when logging out using the normal console, the service is 'login'. Login did not call
+all the modules. I had to add a new parameter to the /etc/login.defs :
+
+CLOSE_SESSIONS        yes
+
+This option is there already in the shadow package since 2002-10-14, according to the ChangeLog,
+but does not appear in the login.defs, but is important for closing a session when the service is 
+login.
+In the newest shadow package (4.0.12) this option is removed completely: the session is always 
+closed.
+
+
+
+2.3 Creating the session scripts
+--------------------------------
+
+
+The pam_script works with two standard scripts, onsessionopen and onsessionclose in the
+/etc/security directory. 
+	
+cat >> /etc/security/onsessionopen << "EOF"
+#!/bin/bash
+
+userid=$1
+service=$2
+userproperties=$(getent passwd | grep -E "^$userid")
+
+if [ -z "$userproperties" ]; then
+
+	#
+	# userproperties not found: something wrong
+	#
+
+	echo "User not found."
+	exit
+
+fi;
+
+nrusers=$(w -h  $userid | wc -l );
+
+if [ $nrusers -eq 0 ]; then
+
+    # There are no other pending sessions for this user
+
+    if [ -d /var/lib/pam/scripts/login ]; then
+
+	for script in /var/lib/pam/scripts/login/*.sh; do
+	    if [ -x $script ] ; then
+		eval $script $userid
+	    fi;
+	done;
+	
+    fi;	
+
+fi;
+
+EOF
+
+
+
+cat >> /etc/security/onsessionclose << "EOF"
+#!/bin/bash
+
+userid=$1
+service=$2
+
+userproperties=$(getent passwd | grep -E "^$userid");
+
+if [ -z "$userproperties" ]; then
+
+	#
+	# userproperties not found: something wrong
+	#
+
+	echo "User not found."
+	exit
+
+fi;
+
+nrusers=$(w -h $userid | wc -l );
+
+syncsettings=0;
+
+case "$service" in
+	login)
+		if [ $nrusers -eq 1 ]; then
+
+			syncsettings=1;
+
+		fi;
+	kde)
+		if [ $nrusers -eq 0 ]; then
+
+			syncsettings=1;
+		fi;
+esac;
+
+
+if [ $syncsettings -eq 1 ]; then
+
+    # This is the last session for this user
+
+    if [ -d /var/lib/pam/scripts/logout ]; then
+
+	for script in /var/lib/pam/scripts/logout/*.sh ; do
+	    if [ -x $script ] ; then
+		eval $script $userid
+	    fi;
+	done;
+	
+    fi;	
+
+fi;
+
+EOF
+
+chown root:root /etc/security/onsession*
+chmod 755 /etc/security/onsession*
+
+Create the following directories:
+
+mkdir -p /var/lib/pam/scripts/login
+mkdir -p /var/lib/pam/scripts/logout
+
+Here is where the scripts will go.
+
+
+Notes:
+
+-  as you can see I use the command "w" to determine the users logged in. 
+Other utilities as who, users and last gave not reliable information. It 
+looks as if the utmp file is not always presenting the right values. 
+Utilities as who,users and last show information from utmp without any check, so 
+they inherit the faults. 'w' does some extra checking, which makes it more 
+usable. 
+Other pammodules, like pam_mount, have other ways to keep track of the amount of logins 
+per user. With pam_mount a seperate file (/var/run/pam_mount/$userid) is created for
+this purpose.
+Anyone knowing a better way to determine how many times a user is logged 
+in, please let me know.
+
+- Some remarks about the behaviour of the command "w"
+The number of sessions is zero when logging in: the user is still not logged in. This 
+happens with all the services I'm using: login and kdm.
+When logging out, something strange happens: it's one when logging out when the service 
+is 'login', zero when service is "kde" (and this user is not logged in on any other way).
+I can't explain this difference. I'm trying to find this out. WORK TO BE DONE.
+
+- I choose to execute the scripts only when it's the first time a user logs in, or the
+last time he logs out. It's also possible to leave that to the scripts (in /var/lib/pam/scripts).
+
+
+
+
+3. Examples
+
+
+3.1 Scripts for storing and retrieving my kde-settings on a central server
+--------------------------------------------------------------------------
+
+
+
+cd /var/lib/pam/scripts/login
+
+cat >> kde.sh << "EOF"
+#!/bin/bash
+
+retcode=0;
+
+userid=$1
+userproperties=$(getent passwd | grep -E "^$userid")
+homedir=$(echo $userproperties | cut -d ":" -f 6);
+gidnr=$(echo $userproperties | cut -d ":" -f 4);
+uidnr=$(echo $userproperties | cut -d ":" -f 3);
+
+
+if [ -d $homedir ]; then
+
+	usershareavailable=$(rsync 192.168.0.3::4users | grep -w $userid );
+
+	retcode=$?
+
+	if [ $retcode -eq 0 ]; then
+
+		#
+		# no error
+		#
+
+		if [ -z "$usershareavailable" ]; then
+
+			#
+			# directory for this user does not exist
+			#
+			# maybe a default?
+			#
+
+			echo "No directory on rsyncserver available for this user."
+
+		else
+
+			thereisarchive=$(rsync 192.168.0.3::4users/$userid/.kde | grep -w ".kde");
+
+			retcode=$?
+
+			if [ $retcode -eq 0 ]; then
+
+				if [ -n "$thereisarchive" ]; then
+
+					#
+					# no error & archive found
+					#
+
+					rsync -rptgozu 192.168.0.3::4users/$userid/.kde/ $homedir/.kde
+
+					chown -R $uidnr:$gidnr $homedir/.kde
+
+				else
+
+					echo "No kde-settings for this user available on rsyncserver."
+				fi;
+
+			fi;
+		fi;
+	fi;
+fi;
+
+if [ $retcode -ne 0 ]; then
+	echo "An error with the rsynccommando for kde ($retcode)."
+fi;
+
+exit $retcode
+
+EOF
+
+And the logout script:
+
+cd ../logout
+
+cat >> kde.sh << "EOF"
+#!/bin/bash
+
+retcode=0;
+
+userid=$1
+userproperties=$(getent passwd | grep -E "^$userid")
+homedir=$(echo $userproperties | cut -d ":" -f 6);
+gidnr=$(echo $userproperties | cut -d ":" -f 4);
+uidnr=$(echo $userproperties | cut -d ":" -f 3);
+
+if [ -d $homedir/.kde ]; then
+	
+	#
+	# there is something to sync
+	#
+
+	usershareavailable=$(rsync 192.168.0.3::4users | grep -w $userid );
+
+	retcode=$?
+
+	if [ $retcode -eq 0 ]; then
+
+		#
+		# no error
+		#
+
+		if [ -z "$usershareavailable" ]; then
+
+			#
+			# directory for this user does not exist yet
+			#
+			# a trick to create a directory on the rsyncserver
+
+			mkdir /tmp/$userid
+
+			rsync -dptgoz /tmp/$userid 192.168.0.3::4users
+
+			rmdir /tmp/$userid
+
+		fi;
+
+		if [ $retcode -eq 0 ]; then
+
+			#
+			# no error found
+			#
+
+			rsync -rptgoz --delete $homedir/.kde 192.168.0.3::4users/$userid
+
+			retcode=$?
+
+		fi;
+	fi;
+fi;
+
+if [ $retcode -ne 0 ]; then
+	echo "An error with the rsynccommando for kde ($retcode)."
+fi
+
+exit $retcode
+
+EOF
+
+Notes:
+
+- see the difference between the rsync commando for login and logout. 
+First the -u flag at login and not logout.
+I don't want newer files get overwritten on login. When due to some reason 
+the settings are not saved properly, the most recent settings are still on the
+workstation and not on the server. You don't want them to be overwritten. That's
+reason for the -u flag at login. Not at logout. Why? Good question. 
+Now the --delete flag at logout.
+Obvious, you don't want that there are still files on the server, which are not 
+there (anymore?) on the workstation.
+
+- Storing settings on a central server can become very complicated when one user is 
+logged on more than one machine at the same time. There is now way to 
+'merge' the settings. The setting saved at the last logout are the ones which 
+will remain on the server. Windows uses the same strategy.
+
+- These scripts are for the settings of kde. But this is just an example.
+You can put any script ( with the .sh extension )
+in this directory. The bookmarks of Firefox for example.
+
+The rsyncserver is hosted at 192.168.0.3, with a share [4users]. This share
+can be accessed without credentials: public access. Making it work with 
+user-based access is not so simple. The rsyncdaemon does not support pam yet. 
+This could work when shell for transport is ssh. Work to be done.
+
+As you can see I use the rsync algoritm, but you can use also a
+ftp server with write-access. The big advantage of rsync however 
+is the efficient way it handles (non)changes.
+
+This way it looks at the way Windows workstations handle settings: 
+when there is a [profiles] share, the server supports "roamingprofiles".
+I think the way the saving en getting the "profile" at these 
+Windows machines looks a lot like rsync for Linux.
+
+
+
+3.2 Browsing the network using FUSE, fusesmb and pam_storepw
+------------------------------------------------------------
+
+Very new is FUSE. 
+
+Get it from the projectsite:
+
+http://fuse.sourceforge.net
+
+Installing FUSE:
+
+cd fuse-2.3.0
+./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-kernel-module --enable-lib --enable-util
+make
+make install
+
+A module is installed, fuse.
+To load it:
+
+modprobe fuse
+
+and add it to /etc/sysconfig/modules.
+
+
+Get fusesmb:
+
+Look for a link at the site of FUSE.
+
+Installing fusesmb:
+
+cd fusesmb-0.8.1
+./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
+make
+make install
+
+It requires samba-3.0.*.
+With samba-3.0.14a it works fine. Not with samba-3.0.20 at this moment. Check the website for more info.
+
+Installing pam_storepw:
+
+cd libpam_storepw-0.1
+
+make
+mv pam_storepw.so /lib/security
+chown root:root /lib/security/pam_storepw.so
+chmod 755 /lib/security/pam_storepw.so
+
+Adjusting the /etc/pam.d/login file:
+
+--snip--
+
+auth		required	pam_shells.so
+auth		required	pam_storepw.so
+auth		sufficient	pam_ldap.so 
+auth		required	pam_unix.so use_first_pass,shadow
+
+Now, whenever somebody logs in, a file with the credentials is created in the 
+/var/run/pw directory. The format is:
+username = whatever
+password = secretofwhatever
+
+Now the actual scripts:
+
+cd /var/lib/pam/login
+
+cat >> fusesmb.sh << "EOF"
+#!/bin/bash
+
+retcode=0;
+
+userid=$1
+userproperties=$(getent passwd | grep -E "^$userid")
+homedir=$(echo $userproperties | cut -d ":" -f 6);
+gidnr=$(echo $userproperties | cut -d ":" -f 4);
+uidnr=$(echo $userproperties | cut -d ":" -f 3);
+
+if [ -d $homedir ]; then
+
+    if [ $(id -u) -eq 0 ]; then
+
+	if [ ! -d $homedir/.smb ]; then
+	
+	    mkdir -p $homedir/.smb
+	    chown $uidnr:$gidnr $homedir/.smb
+	    chmod 755 $homedir/.smb
+
+	fi
+	
+	if [ -f /var/run/pw/$userid ]; then
+	
+	    rm -f $homedir/.smb/fusesmb.conf
+	
+	    touch $homedir/.smb/fusesmb.conf
+	    chown $uidnr:$gidnr $homedir/.smb/fusesmb.conf
+	    chmod 600 $homedir/.smb/fusesmb.conf
+	
+	    echo "[global]" > $homedir/.smb/fusesmb.conf
+	
+	    cat /var/run/pw/$userid >> $homedir/.smb/fusesmb.conf
+
+	fi;
+	
+	
+    fi;
+	
+    if [ ! -d $homedir/network ]; then
+	mkdir -p $homedir/network
+	chown $uidnr:$gidnr $homedir/network
+    fi
+
+
+    if [ $(id -u) -eq 0 ]; then
+ 	su - $userid -c "fusesmb $homedir/network -o fsname=fusesmb" >> /dev/null
+    elif [ $(id -u) -eq $uidnr ]; then 
+    	fusesmb $homedir/network -o fsname=fusesmb
+    fi	
+
+fi;
+
+
+if [ $retcode -ne 0 ]; then
+    echo "An error with fusesmb ($retcode)."
+fi;
+
+exit $retcode
+EOF
+
+And the logout script:
+
+cd ../logout
+
+cat >> fusesmb.sh << "EOF"
+#!/bin/bash
+
+retcode=0;
+
+userid=$1
+userproperties=$(getent passwd | grep -E "^$userid")
+homedir=$(echo $userproperties | cut -d ":" -f 6);
+gidnr=$(echo $userproperties | cut -d ":" -f 4);
+uidnr=$(echo $userproperties | cut -d ":" -f 3);
+
+if [ -d $homedir ]; then
+
+    if [ -n "$(mount | grep $homedir/network)" ]; then
+
+	umount $homedir/network
+
+    fi;
+
+fi;
+
+
+if [ $retcode -ne 0 ]; then
+    echo "An error with fusesmb ($retcode)."
+fi;
+
+exit $retcode
+EOF
+
+
+Notes:
+
+- when logging in the fusesmb.sh script creates a new fusesmb.conf file, overwriting any old one.
+This is good for me, and I'm not planning to do so. If you don't want this, feel free to write this 
+yourself.
+
+- the password is stored in the /var/run/pw/$userid file, with only root access, and later in the 
+$homedir/.smb/fusesmb.conf, with only this user access. Maybe not secure at all. But I do not know any other 
+way to do this.
+
+
+
+3.3 Starting the sessiondaemon of dbus and make the environmentvariables available
+----------------------------------------------------------------------------------
+
+The dbus package is split up in two parts: one systemwide part and one for (each) session/user.
+The systemwide part (a daemon) is started at boottime, with special privileges of a dedicated user.
+The sessionwide part (also a daemon) has to started when a session for a user begins, 
+and stopped when the session ends.
+
+The construction with pam I'm using here is ideal for this. Create a script in the login directory to
+start the sessiondaemon for a user, running with the privileges of that user. In the logout directory an 
+other script has to stop that daemon.
+But is not so simple as that. Some variables (DBUS_SESSION_BUS_ADDRESS and DBUS_SESSION_BUS_PID) have to 
+be available in the environment to every application which works with dbus. 
+IMHO the setting of these variables should go in the bash-startupscripts.
+Then whatever script or application you're running, these variables are set
+to the right value. 
+This information can't go in the /etc/profile.d directory, because it differs for every user. 
+There is no equivalent in de homedirectory in startup of BASH in BLFS at this moment. My idea
+is to create a .profile.d directory in the homedirectory of a user, containing scripts which has
+to be executed when a BASH session is started for that user.
+
+By adding the following code to the $HOME/.bash_profile at the end of it any script with the .sh extension
+will be executed for this user only:
+
+-- snip --
+
+for script in $HOME/.profile.d/*.sh ; do
+        if [ -x $script ]; then
+                . $script
+        fi
+done
+
+-- snip --
+
+Now create as a user in his/her homedirectory:
+
+mkdir $HOME/.profile.d
+
+
+Compiling and installing it is described in the latest versions of BLFS 
+(beginning 200510..). 
+
+I assume that dbus is installed, and that it is started at boottime.
+
+Create a script in the login directory dbus.sh:
+
+cat >> dbus.sh << "EOF"
+#!/bin/bash
+
+retcode=0;
+
+userid=$1
+userproperties=$(getent passwd | grep -E "^$userid")
+homedir=$(echo $userproperties | cut -d ":" -f 6);
+gidnr=$(echo $userproperties | cut -d ":" -f 4);
+uidnr=$(echo $userproperties | cut -d ":" -f 3);
+
+if [ -d $homedir ]; then
+
+    if [ -d $homedir/.profile.d ]; then
+	
+	if [ $(id -u) -eq 0 ]; then
+ 	    su - $userid -c "dbus-launch --auto-syntax > $homedir/.profile.d/dbus.sh 2>&1" >> /dev/null
+	    chown $uidnr:$gidnr $homedir/.profile.d/dbus.sh
+	    chmod u+x $homedir/.profile.d/dbus.sh
+	elif [ $(id -u) -eq $uidnr ]; then 
+    	    dbus-launch --auto-syntax > $homedir/.profile.d/dbus.sh
+	fi
+	retcode=$?
+
+    fi
+
+fi;
+
+
+if [ $retcode -ne 0 ]; then
+    echo "An error with dbus ($retcode)."
+fi;
+
+exit $retcode
+EOF
+
+This script will start the dbus session daemon for this user, and will create a dbus.sh script in the .profile.d
+directory of this user. 
+
+Creating the dbus.sh script in the logout directory:
+
+cat >> dbus.sh << "EOF"
+#!/bin/bash
+
+retcode=0;
+
+userid=$1
+userproperties=$(getent passwd | grep -E "^$userid")
+homedir=$(echo $userproperties | cut -d ":" -f 6);
+gidnr=$(echo $userproperties | cut -d ":" -f 4);
+uidnr=$(echo $userproperties | cut -d ":" -f 3);
+
+if [ -d $homedir ]; then
+
+    if [ -d $homedir/.profile.d ]; then
+	
+	if [ -f $homedir/.profile.d/dbus.sh ]; then
+	    . $homedir/.profile.d/dbus.sh
+	    if [ -n "$DBUS_SESSION_BUS_PID" ]; then
+		su - $userid -c "kill -SIGTERM $DBUS_SESSION_BUS_PID 2>/dev/null" >> /dev/null 2>&1
+		rm $homedir/.profile.d/dbus.sh
+	    fi
+	fi;	
+	retcode=$?
+    fi
+
+fi;
+
+
+if [ $retcode -ne 0 ]; then
+    echo "An error with dbus ($retcode)."
+fi;
+
+exit $retcode
+EOF
+
+Now when bash is started, the dbus.sh script in the $HOME/.profile.d is found and executed
+by $HOME/.bash_profile. 
+
+
+ACKNOWLEDGEMENTS:
+Thanks to the author of pam_script, Izak Burger.
+
+CHANGELOG:
+[2005-07-18]
+  * Initial hint.
+[2005-07-20]
+  * Some text changes: things could be explained better
+  * remove the -f parameter in the 'last' command. It works now with the standard
+    /var/log/wtmp file. The /var/run/utmp file was not so reliable after all.
+  * added the --delete flag to the rsync commando at logout. 
+  * added the -u flag when getting the settings at login. 
+  * added more comment on saving and restoring settings in a mutiuser/multihost (wow!)
+    environment.
+[2005-07-27]
+  * Use the command 'w' to determine how many times a user is logged in on the
+    system in stead of 'last'.
+  * Correction of some phrases: incorrect English. 
+[2005-08-10]
+  * added some comment about the version of shadow to use. Some versions caused
+    problems.
+  * corrected some typos.
+  * added some comment about the option runas=root which can be very insecure     
+[2005-08-23]
+  * moved the scriptdirectory to a central place (/var/lib/sync4settings) in stead of
+    the homedirectory. This was very insecure.
+    The scripts have to handle a general $userid.
+    Created a central map on the resyncserver [4users] where the settings are stored
+    Added a check what the service is at logout: kdm or login. The command 'w' gives 
+    different output. 
+    Added comment about the removal of the option "CLOSE_SESSIONS" in version 4.0.12 
+    of the shadow package.
+[2005-09-27]
+  * moved the scriptdirectory to /var/lib/pam/scripts in stead of
+    /var/lib/sync4settings.
+  * to execute a script use the command "eval".
+  * more comment.
+[2005-09-29]
+  * Changed the name of the hint: Execute scripts at begin and end of a usersession using PAM 
+  * added two examples: fusesmb and dbus.
+
+
+TODO:
+
+  * look for some way to show information about progres and/or errors when executing
+    the scripts when using a graphical login. xconsole?
+
+DONE:
+  * find out why runas=root does not work with pam_script at logout for me:
+    all the credits should go to the maintainer of pam_script.

Deleted: trunk/restoresettingsatlogin.txt
===================================================================
--- trunk/restoresettingsatlogin.txt	2005-10-05 04:47:29 UTC (rev 990)
+++ trunk/restoresettingsatlogin.txt	2005-10-05 04:50:59 UTC (rev 991)
@@ -1,480 +0,0 @@
-AUTHOR: Stef Bon <stef at bononline dot nl>
-
-DATE: 2005-07-18
-
-LICENSE: GNU Free Documentation License Version 1.2
-
-SYNOPSIS: Storing and retrieving settings per user at login and logout using PAM.
-
-DESCRIPTION:
-Somehow I always missed the possibity to store and retrieve my settings on/from a central
-network host for Linux, like 'roamingprofiles' for the Windows 95/98/w2k/xp systems have. 
-Here is described a way to do that. 
-
-This can be considered as an example. Other scripts for other puposes are also possible.
-
-It works via pam. I know this can be done via 
-the scripts in the profile.d directory which are executed when a shell starts, 
-but pam is in my opinion the best place to this. 
-
-ATTACHMENTS:
-
-
-PREREQUISITES:
-This hint requires that you have sufficient knowledge of LINUX in general, and 
-PAM in particular.
-shadow-4.0.3 or shadow-4.0.11.1 or 4.0.12 (at this moment the latest). 
-For the option runas=root to work, you'll need these. 
-Other versions of shadow (4.0.4.1 and 4.0.7) are causing problems. In the 
-code of login of these versions, root privileges are dropped too early 
-(before the pam_close_session call).
-
-
-HINT:
-
-1. Storing and retrieving settings on network
----------------------------------------------
-
-When using a modern Linux system, you can use your account on more 
-systems to login. This is possible when LDAP, nss-ldap and pam-ldap.
-But every machine has it's own settings, so you can't take your settings with 
-you, just like "roamingprofiles".
-
-When looking at PAM for Linux, it has the ability to use a loadable plugin, which will 
-take care for retrieving settings from a central network host when a session opens, 
-and storing the same settings to the same host when a sessions closes.
-
-This is not possible for a standard PAM installation. There is no standard pam modules
-which will execute scripts in general.  But there is a module, developed seperately, 
-pam_script, which will do this.
-
-An example of a script using the rsync program to store settings for kde is here. 
-
-
-2. Installing the software
---------------------------
-
-
-
-2.1 pam_script
---------------
-
-
-Get the module pam_script from http://freshmeat.net/projects/pam_script. 
-I'm using version 0.1.3.
-
-unpack:
-
-tar -xzf pam-script-*.tar.gz
-
-compile and move to the proper place:
-
-cd pam-script-*
-
-make
-mv pam_script.so /lib/security
-chown root:root /lib/security/pam_script.so
-chmod 755 /lib/security/pam_script.so
-
-
-2.2 Adjusting pam configuration
--------------------------------
-
-
-Adjusting the /etc/pam.d/login file:
-
--- snip --
-
-session		optional	pam_mail.so dir=/var/mail noenv close empty
-session		optional	pam_motd.so
-session		required	pam_unix.so
-session		required	pam_script.so runas=root
-
-When using other ways for users to login than the standard, like a X-based login as kdm,
-adjust them the same way. On my machine I login frequently in with kdm, and that uses the 
-kde-service, which is a symlink to the login-service:
-
-cd /etc/pam.d
-
-ls -al
-
-drwxr-xr-x   2 root root  392 2005-07-11 13:59 .
-drwxr-xr-x  36 root root 3152 2005-07-19 14:09 ..
--rw-r--r--   1 root root  253 2004-05-12 16:06 chage
--rw-r--r--   1 root root   69 2005-01-12 00:20 cups
--rw-r--r--   1 root root  330 2005-01-19 10:00 fcron
--rw-r--r--   1 root root  506 2004-12-22 23:04 fcrontab
-lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde -> login
-lrwxrwxrwx   1 root root    5 2005-07-11 13:59 kde-np -> login
--rw-r--r--   1 root root  931 2005-07-19 13:20 login
--rw-r--r--   1 root root  305 2005-07-16 22:46 other
--rw-r--r--   1 root root  282 2003-08-13 18:22 passwd
--rw-r--r--   1 root root  411 2003-08-12 17:53 shadow
--rw-r--r--   1 root root  448 2005-07-18 10:18 su
--rw-r--r--   1 root root  666 2005-02-28 12:59 sudo
--rw-r--r--   1 root root  257 2004-05-12 16:05 useradd
--rw-r--r--   1 root root  200 2005-04-25 09:05 xscreensaver
-
-
-
-Notes:
-
-- the pam_script.so uses some parameters. All of them are described in the README in the
-source directory. One of them, runas, when used as runas=root did not work for me. It appears
-that it's the login command - part of the shadow package - is causing the problems. 
-Shadow-4.0.11.1 and later work fine.
-
-- when logging out using the normal console, the service is 'login'. Login did not call
-all the modules. I had to add a new parameter to the /etc/login.defs :
-
-CLOSE_SESSIONS        yes
-
-This option is there already in the shadow package since 2002-10-14, according to the ChangeLog,
-but does not appear in the login.defs, but is important for closing a session when the service is 
-login.
-In the newest shadow package (4.0.12) this option is removed completely: the session is always 
-closed.
-
-
-
-2.3 Creating the session scripts
---------------------------------
-
-
-The pam_script works with two standard scripts, onsessionopen and onsessionclose in the
-/etc/security directory. 
-	
-cat >> /etc/security/onsessionopen << "EOF"
-#!/bin/bash
-
-userid=$1
-service=$2
-homedir=$(getent passwd | grep -E "^$userid" | cut -d ":" -f 6);
-
-nrusers=$(w -h  $userid | wc -l );
-
-
-if [ $nrusers -eq 0 ]; then
-
-    # There are no other pending sessions for this user
-
-    if [ -d /var/lib/pam/scripts/login ]; then
-
-	for script in /var/lib/pam/scripts/login/*.sh ; do
-	    if [ -x $script ] ; then
-		eval $script $userid
-	    fi;
-	done;
-	
-    fi;	
-
-fi;
-
-EOF
-
-
-
-cat >> /etc/security/onsessionclose << "EOF"
-#!/bin/bash
-
-userid=$1
-service=$2
-homedir=$(getent passwd | grep -E "^$userid" | cut -d ":" -f 6);
-
-nrusers=$(w -h $userid | wc -l );
-
-syncsettings=0;
-
-case "$service" in
-	login)
-		if [ $nrusers -eq 1 ]; then
-
-			syncsettings=1;
-
-		fi;
-	kde)
-		if [ $nrusers -eq 0 ]; then
-
-			syncsettings=1;
-		fi;
-esac;
-
-
-if [ $syncsettings -eq 1 ]; then
-
-    # This is the last session for this user
-
-    if [ -d /var/lib/pam/scripts/logout ]; then
-
-	for script in /var/lib/pam/scripts/logout/*.sh ; do
-	    if [ -x $script ] ; then
-		eval $script $userid
-	    fi;
-	done;
-	
-    fi;	
-
-fi;
-
-EOF
-
-chown root:root /etc/security/onsession*
-chmod 755 /etc/security/onsession*
-
-
-Notes:
-
--  as you can see I use the command "w" to determine the users logged in. 
-Other utilities as who, users and last gave not reliable information. It 
-looks as if the utmp file is not always presenting the right values. 
-Utilities as who,users and last show information from utmp without any check, so 
-they inherit the faults. 'w' does some extra checking, which makes it more 
-usable. 
-Other pammodules, like pam_mount, have other ways to keep track of the amount of logins 
-per user. With pam_mount a seperate file (/var/run/pam_mount/$userid) is created for
-this purpose.
-Anyone knowing a better way to determine how many times a user is logged 
-in, please let me know.
-
-- Some remarks about the behaviour of the command "w"
-The number of sessions is zero when logging in: the user is still not logged in. This 
-happens with all the services I'm using: login and kdm.
-When logging out, something strange happens: it's one when logging out when the service 
-is 'login', zero when service is "kde" (and this user is not logged in on any other way).
-I can't explain this difference. I'm trying to find this out.
-
-
-
-2.4 Creating shellscripts for doing the actual storing and retrieving.
-----------------------------------------------------------------------
-
-
-Create the following directories:
-
-mkdir -p /var/lib/pam/scripts/login
-mkdir -p /var/lib/pam/scripts/logout
-
-cd /var/lib/pam/scripts/login
-
-cat >> kde.sh << "EOF"
-#!/bin/bash
-
-retcode=0;
-
-userid=$1
-userproperties=$(getent passwd | grep -E "^$userid")
-homedir=$(echo $userproperties | cut -d ":" -f 6);
-gidnr=$(echo $userproperties | cut -d ":" -f 4);
-uidnr=$(echo $userproperties | cut -d ":" -f 3);
-
-
-if [ -d $homedir ]; then
-
-	usershareavailable=$(rsync 192.168.0.3::4users | grep -w $userid );
-
-	retcode=$?
-
-	if [ $retcode -eq 0 ]; then
-
-		#
-		# no error
-		#
-
-		if [ -z "$usershareavailable" ]; then
-
-			#
-			# directory for this user does not exist
-			#
-			# maybe a default?
-			#
-
-			echo "No directory on rsyncserver available for this user."
-
-		else
-
-			thereisarchive=$(rsync 192.168.0.3::4users/$userid/.kde | grep -w ".kde");
-
-			retcode=$?
-
-			if [ $retcode -eq 0 ]; then
-
-				if [ -n "$thereisarchive" ]; then
-
-					#
-					# no error & archive found
-					#
-
-					rsync -rptgozu 192.168.0.3::4users/$userid/.kde/ $homedir/.kde
-
-					chown -R $uidnr:$gidnr $homedir/.kde
-
-				else
-
-					echo "No kde-settings for this user available on rsyncserver."
-				fi;
-
-			fi;
-		fi;
-	fi;
-fi;
-
-if [ $retcode -ne 0 ]; then
-	echo "An error with the rsynccommando for kde ($retcode)."
-fi;
-
-exit $retcode
-
-EOF
-
-And the logout script:
-
-cd ../logout
-
-cat >> kde.sh << "EOF"
-#!/bin/bash
-
-retcode=0;
-
-userid=$1
-userproperties=$(getent passwd | grep -E "^$userid")
-homedir=$(echo $userproperties | cut -d ":" -f 6);
-gidnr=$(echo $userproperties | cut -d ":" -f 4);
-uidnr=$(echo $userproperties | cut -d ":" -f 3);
-
-if [ -d $homedir/.kde ]; then
-	
-	#
-	# there is something to sync
-	#
-
-	usershareavailable=$(rsync 192.168.0.3::4users | grep -w $userid );
-
-	retcode=$?
-
-	if [ $retcode -eq 0 ]; then
-
-		#
-		# no error
-		#
-
-		if [ -z "$usershareavailable" ]; then
-
-			#
-			# directory for this user does not exist yet
-			#
-			# a trick to create a directory on the rsyncserver
-
-			mkdir /tmp/$userid
-
-			rsync -dptgoz /tmp/$userid 192.168.0.3::4users
-
-			rmdir /tmp/$userid
-
-		fi;
-
-		if [ $retcode -eq 0 ]; then
-
-			#
-			# no error found
-			#
-
-			rsync -rptgoz --delete $homedir/.kde 192.168.0.3::4users/$userid
-
-			retcode=$?
-
-		fi;
-	fi;
-fi;
-
-if [ $retcode -ne 0 ]; then
-	echo "An error with the rsynccommando for kde ($retcode)."
-fi
-
-exit $retcode
-
-EOF
-
-Note:
-- see the difference between the rsync commando for login and logout. 
-First the -u flag at login and not logout.
-I don't want newer files get overwritten on login. When due to some reason 
-the settings are not saved properly, the most recent settings are still on the
-workstation and not on the server. You don't want them to be overwritten. That's
-reason for the -u flag at login. Not at logout. Why? Good question. 
-Now the --delete flag at logout.
-Obvious, you don't want that there are still files on the server, which are not 
-there (anymore?) on the workstation.
-
-- Storing settings on a central server can become very complicated when one user is 
-logged on more than one machine at the same time. There is now way to 
-'merge' the settings. The setting saved at the last logout are the ones which 
-will remain on the server. Windows uses the same strategy.
-
-- These scripts are for the settings of kde. But this is just an example.
-You can put any scrtipt ( with the .sh extension )
-in this directory. The bookmarks of Firefox for example. Other things like creating 
-files or mounting shares are also possible.
-
-The rsyncserver is hosted at 192.168.0.3, with a share [4users]. This share
-can be accessed without credentials: public access. Making it work with 
-user-based access is not so simple. The rsyncdaemon does not support pam yet. 
-This could work when shell for transport is ssh. Work to be done.
-
-As you can see I use the rsync algoritm, but you can use also a
-ftp server with write-access. The big advantage of rsync however 
-is the efficient way it handles (non)changes.
-
-This way it looks at the way Windows workstations handle settings: 
-when there is a [profiles] share, the server supports "roamingprofiles".
-I think the way the saving en getting the "profile" at these 
-Windows machines looks a lot like rsync for Linux.
-
-
-
-ACKNOWLEDGEMENTS:
-Thanks to the author of pam_script, Izak Burger.
-
-CHANGELOG:
-[2005-07-18]
-  * Initial hint.
-[2005-07-20]
-  * Some text changes: things could be explained better
-  * remove the -f parameter in the 'last' command. It works now with the standard
-    /var/log/wtmp file. The /var/run/utmp file was not so reliable after all.
-  * added the --delete flag to the rsync commando at logout. 
-  * added the -u flag when getting the settings at login. 
-  * added more comment on saving and restoring settings in a mutiuser/multihost (wow!)
-    environment.
-[2005-07-27]
-  * Use the command 'w' to determine how many times a user is logged in on the
-    system in stead of 'last'.
-  * Correction of some phrases: incorrect English. 
-[2005-08-10]
-  * added some comment about the version of shadow to use. Some versions caused
-    problems.
-  * corrected some typos.
-  * added some comment about the option runas=root which can be very insecure     
-[2005-08-23]
-  * moved the scriptdirectory to a central place (/var/lib/sync4settings) in stead of
-    the homedirectory. This was very insecure.
-    The scripts have to handle a general $userid.
-    Created a central map on the resyncserver [4users] where the settings are stored
-    Added a check what the service is at logout: kdm or login. The command 'w' gives 
-    different output. 
-    Added comment about the removal of the option "CLOSE_SESSIONS" in version 4.0.12 
-    of the shadow package.
-[2005-09-27]
-  * moved the scriptdirectory to /var/lib/pam/scripts in staed of
-    /var/lib/sync4settings.
-  * to execute a script use the command "eval".
-  * more comment.    
-
-
-TODO:
-
-  * authentication of users
-  * look for some way to show information about progres and/or errors when executing
-    the scripts when using a graphical login. xconsole?
-
-DONE:
-  * find out why runas=root does not work with pam_script at logout for me




More information about the hints mailing list