Re: Dynamically creating users at login

From: Julian King <jpk28 cus cam ac uk>
To: gdm sunsite dk
Subject: Re: Dynamically creating users at login
Date: Mon, 20 Oct 2003 11:59:54 +0100 (BST)

> > I'm not aware of any PAM module that does this for the local unix pwd
> > database.  But I suppose someone could modify the pam_unix module to
> > just run useradd and try again.
> > 
> Could you tell me where to start on that?
> Like I said, I'm a newbie when it comes to PAM.

We have a config file in /etc/pam.d:

--------------------------------------------------
# Allow either NetWare or Unix authentication.
# Future versions may only allow NetWare.
auth            required        pam_listfile.so item=user sense=deny file=/etc/s
ecurity/fakeusers
auth            required        pam_nologin.so
auth            sufficient      pam_unix.so
auth            requisite       pam_ncp_auth.so
auth            required        pam_cachepw.so

account         required        pam_run.so /usr/sbin/pwfsession

session         required        pam_run.so /usr/sbin/pwfsession
session         required        pam_unix.so
session         optional        pam_console.so
session         optional        pam_lastlog.so
session         optional        pam_motd.so

password        required        pam_ncp_auth.so 

------------------------------------------------

And then we have /usr/sbin/pwfsession (see attatched) which indeed calls
useradd (along with some other magic).  The script itself is tailored to our
specific needs, but should be usable as a template to create your own.

We are aware that it has shortcomings, but it has worked for a while.

Note, that the code is (as far as we are concerned) released under the GPL,
and for the purpose of this email is copyright Ben Harris.

Additionally you'll need pam-run, which is a small pam module which
executes the appropriate code with the appropriate options, that should be
attatched too.

This is also I believe copyright Ben Harris, and made available under the
GPL.

I know that we haven't included copyright headers, I hope that people will
do the correct thing, not least of all because it is mostly, pretty
trivial code.


Note, that whilst what I have included does work you may need to patch
things like gdm in order to use them - I would have to check.  We
submitted and had accepted our patch to xdm however.  Also ssh is a pain
because they don't understand (or agree with our understanding) of PAM.
:-)


> Thanks,
> Harold

I hope that helps,

Julian
--
Julian King
Computer Officer, University of Cambridge, Unix Support

#! /bin/bash
# $Id: pwfsession,v 1.6 2002/06/21 15:02:37 bjh21 Exp $

trap "" 1

export PATH=/usr/sbin:/usr/bin:/sbin:/bin

#exec >/dev/null 2>&1

mkdir -p /var/run/pwfsession
COUNTFILE=/var/run/pwfsession/$2

lockfile () {
    # Not NFS-safe.  Sorry.
    set -C
    while ! true 2>/dev/null >$1; do sleep 1; done
    set +C
}

LOGGER="logger -t pwfsession[$1/$2]"
case $1 in
    acct)
	if id $2 >/dev/null 2>&1; then
	    $LOGGER user $2 already exists here
	else
	    $LOGGER adding user $2...
	    groupadd $2
	    useradd -M -d /dev/null -g $2 $2
	fi
	# Lines below here used to be in the "open" section,
	# but the Red Hat login(8) seems to read the home dir
	# before opening the session.  xdm seems to do it even
	# earlier.
	$LOGGER attaching to PWF...
	lockfile ${COUNTFILE}.lock
	touch ${COUNTFILE}
	count=$(($(cat ${COUNTFILE}) + 1))
	echo $count > ${COUNTFILE}
	if [ ! "$2" = root ]; then
	    pwfmount $2 2>&1 | $LOGGER
	    usermod -d $(pwfhomedir $2) $2
	    rm -f /var/run/nwclient/$2
	fi
	rm -f ${COUNTFILE}.lock
	;;
    close)
	lockfile ${COUNTFILE}.lock
	count=$(($(cat ${COUNTFILE}) - 1))
	echo $count > ${COUNTFILE}
	if [ ! "$2" = root ]; then
	    if [ $count = 0 ]; then
	        $LOGGER "last logout -- detaching from PWF"
	        pwfumount $2 2>&1 | $LOGGER
	    fi
	fi
	rm -f ${COUNTFILE}.lock
	;;
esac

#include <sys/types.h>

#include <sys/wait.h>

#include <stdio.h>
#include <unistd.h>

#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_SESSION

#include <security/pam_modules.h>

static int
runit(pam_handle_t *pamh, int flags, int argc, char const **argv,
      char const *action, int failure)
{
	pid_t pid;
	int status, ret;
	char const *newargv[4];

	if (argc != 1)
		return failure;
	newargv[0] = argv[0];
	newargv[1] = action;
	pam_get_user(pamh, &newargv[2], NULL);
	newargv[3] = NULL;
	switch(pid = fork()) {
	case -1:
		perror("fork");
		return failure;
	case 0:
		execv(newargv[0], newargv);
		perror("exec");
		return failure;
	default:
		ret = waitpid(pid, &status, 0);
		if (ret < 0) {
			perror("waitpid");
			return failure;
		}
		if (WIFEXITED(status) && WEXITSTATUS(status) == 0)
			return PAM_SUCCESS;
	}
	return failure;
}

PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, char const **argv)
{

	return runit(pamh, flags, argc, argv, "auth", PAM_AUTH_ERR);
}

PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, char const **argv)
{

	return runit(pamh, flags, argc, argv, "setcred", PAM_CRED_ERR);
}

PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, char const **argv)
{

	return runit(pamh, flags, argc, argv, "acct", PAM_AUTH_ERR);
}

PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, char const **argv)
{

	return runit(pamh, flags, argc, argv, "open", PAM_SESSION_ERR);
}

PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
		     char const **argv)
{

	return runit(pamh, flags, argc, argv, "close", PAM_SESSION_ERR);
}

Follow-Ups:
- Re: Dynamically creating users at login
  - From: Harold Martin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]