pam_shrundir: new port: manage lifetime of XDG_RUNTIME_DIR

2021-01-27 00:26:27 +01:00 · 2021-01-27 00:26:27 +01:00 · b5c2737bc7
commit b5c2737bc7
parent fc22292084
6 changed files with 179 additions and 0 deletions
--- a/pam_shrundir/.footprint
+++ b/pam_shrundir/.footprint
@ -0,0 +1,7 @@
+drwxr-xr-x	root/root	sbin/
+-rwxr-xr-x	root/root	sbin/pam_shrundir
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/share/
+drwxr-xr-x	root/root	usr/share/man/
+drwxr-xr-x	root/root	usr/share/man/man8/
+-rw-r--r--	root/root	usr/share/man/man8/pam_shrundir.8.gz
--- a/pam_shrundir/.signature
+++ b/pam_shrundir/.signature
@ -0,0 +1,6 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF38kSJKzvrIA0Wc7tUQXmMhDLsrXKOEN/GkroPLzha+HmocIsc9pefNs2crmgT5dx2T18OfbnfDxoN1F+NmmM4g4=
+SHA256 (Pkgfile) = 0c7700d5a03721c3679d46beb13ebdb4c3101f8be9666d55f5c48f9e51ce636f
+SHA256 (.footprint) = 477b045ddf332d5c081e4dfc5104f8c829e0c28058855b72b5832489b1406645
+SHA256 (pam_shrundir) = 0c544a9352bd68a6a743363caa8b44a8fe5d03f4b98fc3bcab859e11b2b9350e
+SHA256 (pam_shrundir.8) = 3c757d3dd6d4573c8ee3dbddc7754a28cab2f423dc5fbcf3b682e3e46e78c9cb
--- a/pam_shrundir/Pkgfile
+++ b/pam_shrundir/Pkgfile
@ -0,0 +1,16 @@
+# Description: PAM shell script to manage XDG_RUNTIME_DIR creation
+# URL:         https://www.sdaoden.eu/code.html#s-toolbox
+# Maintainer:  Steffen Nurpmeso, steffen at sdaoden dot eu
+
+name=pam_shrundir
+version=20210126
+release=1
+source=($name $name.8)
+
+build () {
+   install -d $PKG/sbin $PKG/usr/share/man/man8
+   install -m 755 $name $PKG/sbin
+   install -m 644 $name.8 $PKG/usr/share/man/man8/
+}
+
+# s-sh-mode
--- a/pam_shrundir/README
+++ b/pam_shrundir/README
@ -0,0 +1,17 @@
+README for pam_shrundir
+
+This is a "module" for PAM which manages creation of XDG_RUNTIME_DIR
+as defined in the XDG Base Directory Specification [1].
+The directory will be created once a user logs in the first time,
+and it will be removed once she logs out last.
+
+For it to work it must be included in /etc/pam.d -- to make it a
+vivid part of session handling the file /etc/pam.d/common-session
+seems best.  Include the following early:
+
+	session optional pam_exec.so quiet /sbin/pam_shrundir
+
+Note this PAM module does not address setting of the $XDG_RUNTIME_DIR
+environment variable.  Errors will be logged via syslog.
+
+  [1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
--- a/pam_shrundir/pam_shrundir
+++ b/pam_shrundir/pam_shrundir
@ -0,0 +1,72 @@
+#!/bin/sh -
+#@ Create /run/user/`id -u` when the first session is opened, and remove it
+#@ again once the last is closed.
+#@ Place this 0755 in /sbin/pam_shrundir (or wherever you want), then put
+#@ 	session required pam_exec.so quiet /sbin/pam_shrundir
+#@ (or "optional" not "required") in /etc/pam.d/common-session, or wherever.
+
+lckfile=.pam_shrundir.lck
+datfile=.pam_shrundir.dat
+
+cd /run || {
+	logger -t pam_rundir 'ERROR: /run must exist'
+	exit 1
+}
+
+command -v flock >/dev/null 2>&1 || {
+	logger -t pam_rundir 'ERROR: i need flock(1) from util-linux'
+	exit 2
+}
+
+[ -d user ] || mkdir -m 0755 user || [ -d user ] || {
+	logger -t pam_rundir 'ERROR: cannot create /run/user'
+	exit 3
+}
+
+cd user || {
+	logger -t pam_rundir 'ERROR: cannot cd to /run/user'
+	exit 4
+
+}
+
+user=`id -u ${PAM_USER}`
+group=`id -g ${PAM_USER}`
+umask 0077
+
+touch "${lckfile}"
+flock "${lckfile}" -c '
+	ex=0
+	if [ "'"${PAM_TYPE}"'" = open_session ]; then
+		if [ -d '"${user}"' ]; then :; else
+			mkdir -m 0700 '"${user}"' || exit 5
+			chown '"${user}"':'"${group}"' '"${user}"' || exit 6
+			echo 0 > '"${user}"'/'"${datfile}"'
+			chmod 0600 '"${user}"'/'"${datfile}"'
+		fi
+		op=+
+	else
+		op=-
+	fi
+
+	read cnt < '"${user}"'/'"${datfile}"'
+	[ -z "${cnt}" ] && cnt=0
+	cnt=`expr ${cnt} ${op} 1`
+	if [ ${cnt} -le 0 ]; then
+		rm -rf '"${user}"' || ex=7
+	else
+		echo ${cnt} > '"${user}"'/'"${datfile}"'
+	fi
+
+	exit ${ex}
+'
+e=${?}
+rm -f "${lckfile}"
+
+case ${e} in
+*) ;;
+5) logger -t pam_rundir 'ERROR: cannot create /run/user/'${user};;
+6) logger -t pam_rundir 'ERROR: cannot impersonate /run/user/'${user};;
+7) logger -t pam_rundir 'ERROR: cannot remove /run/user/'${user};;
+esac
+
+exit ${e}
--- a/pam_shrundir/pam_shrundir.8
+++ b/pam_shrundir/pam_shrundir.8
@ -0,0 +1,61 @@
+.\"@ pam_shrundir - PAM module (script) to manage XDG_RUNTIME_DIR.
+.\"
+.\" Public Domain
+.
+.Dd January 27, 2021
+.Dt PAM_SHRUNDIR 8
+.Os
+.
+.
+.Sh NAME
+.Nm pam_shrundir
+.Nd PAM Manage XDG_RUNTIME_DIR existance
+.
+.
+.Sh SYNOPSIS
+.Nm
+.
+.
+.Sh DESCRIPTION
+.
+.Nm
+is a PAM module (script) that manages creation and deletion of the
+.Ev XDG_RUNTIME_DIR
+directory as specified by the 
+.Lk https://specifications.\:freedesktop.\:org/basedir-\:\
+spec/\:basedir-\:spec-\:latest.html "XDG Base Directory Specification" .
+.
+.Pp
+When linked into the PAM system, the directory will be created as
+.Ql /run/user/`id -u`
+once a user creates his or her first login session, and it will be
+removed recursively once the last such session ends.
+This script does not handle creation of the user environment variable
+.Ev XDG_RUNTIME_DIR ,
+it only manages the lifetime of the according directory.
+.
+.Pp
+In order to make use of this script, place the following in the control
+file of desire under
+.Pa /etc/pam.d ,
+best maybe
+.Pa /etc/pam.d/common-session
+if that exists (possibly adjusting paths):
+.
+.Bd -literal -offset indent
+session optional pam_exec.so quiet /sbin/pam_shrundir
+.Ed
+.
+.
+.Sh "SEE ALSO"
+.
+.Xr pam.conf 5 ,
+.Xr pam.d 8 ,
+.Xr pam 8
+.
+.
+.Sh AUTHORS
+.
+.An "Steffen Nurpmeso" Aq steffen@sdaoden.eu .
+.
+.\" s-ts-mode