pam_envfeed 0.4 review

Download
by rbytes.net on

pam_envfeed is a PAM module that runs an external program, grabs its output, and then defines the environment variables this program

License: GPL (GNU General Public License)
File size: 17K
Developer: Egmont Koblinger
0 stars award from rbytes.net

pam_envfeed is a PAM module that runs an external program, grabs its output, and then defines the environment variables this program has emitted.

pam_envfeed is especially useful for dynamically setting up a PATH that depends on many circumstances (such as whether the user is root, or whether a directory exists or not).

The module can be used as an 'auth', 'account' or 'session' module. I guess 'session' is the best place to set environment variables, but YMMV. To do so, put a line like this into /etc/pam.d/system-auth or whatever files are relevant:

session required /lib/security/pam_envfeed.so

When the pam_envfeed module is invoked to set the credentials, do the account management or open the session, it launches the external program /sbin/pam_envfeed by default, however, a different program can be chosen
with an argument to the module.

The program can be a binary as well as a script. Don't forget the execute perms, and the #! line if it's a script.

The program has its standard input and standard error connected to /dev/null, the standard output is a pipe connected to the parent process, and no other file descriptors are open.

The program receives four kinds of environment variables:

PAM_*
PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY and PAM_USER are defined
to their equivalent in the PAM system. Only those for whom
pam_get_item() successfully returned a non-NULL value are actually
set, so some of these might be unset.

USERINFO_*
Since I found it quite difficult to get the home directory of the
user whose name is contained in a shell variable in bash, I added
password entry lookup into pam_envfeed. If getpwnam() is successful
then data provided by this call is put into USERINFO_UID,
USERINFO_GID, USERINFO_GECOS, USERINFO_HOME and USERINFO_SHELL.
Furthermore the group id is also looked up and the group name is
stored in USERINFO_GROUP if getgrgid() is successful. The user's
login name is not duplicated in these variables, use PAM_USER
instead. This whole userinfo lookup can be disabled with the
nouserinfo option, just in case you have troubles with getent/nss
stuff or just don't want pam to use them here.

ENV_*
For all the real environment variables that the pamming process has,
a counterpart with an ENV_ prefix is defined. E.g. if your
authenticating applications has LC_ALL=hu_HU then you'll have
ENV_LC_ALL=hu_HU defined.

PAMENV_*
For all the pam environment variables that the pamming process has,
a counterpart with a PAMENV_ prefix is defined. E.g. if pam_env.so
has previously set DISPLAY=kenny:0.0 then you'll have
PAMENV_DISPLAY=kenny:0.0 defined.

Example:

This is a very simple example script. It only sets PATH and MAIL to probably their most standard values on Linux systems.

#!/bin/bash

p="$USERINFO_HOME/bin"
if [ "$USERINFO_UID" = "0" ]; then
p="$p:/usr/local/sbin:/sbin:/usr/sbin"
fi
p="$p:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin"
echo -n PATH="$p"
echo -ne '00'
echo -n MAIL="/var/mail/$PAM_USER"

See the example subdirectory for a more complex example.

pam_envfeed 0.4 keywords