libpam-mklocaluser/0000755000000000000000000000000013541450012011522 5ustar libpam-mklocaluser/debian/0000755000000000000000000000000013576653036012767 5ustar libpam-mklocaluser/debian/README0000644000000000000000000000162013303751642013634 0ustar libpam-mklocalusre =================== PAM configuration to enable add users able to log in, presumably using some network directory information like NIS or LDAP, and when they log in a local users with the uid and gid information from the networked directory is created, and their password is cached on the local disk to allow them to log in also when disconnected from the net. For sites using a path to home directories on the form /site/hostname/partition/username/, it would be confusing if the local home directory with that path showed up on the local machine and not on the expected server. To avoid this problem, the local user is created with /home/username/ as the home directory, allowing the remote file system to be automounted on /site/hostname/partition/. This package depend on pam_python from http://www.stuart.id.au/russell/files/pam_python Submit patches to debian-edu@lists.debian.org. libpam-mklocaluser/debian/changelog0000644000000000000000000001444213576653036014646 0ustar libpam-mklocaluser (0.17) unstable; urgency=medium * Team upload. [ Wolfgang Schweer ] * debian/pam-python.py: Use octal prefix for dirmode value, thanks piuparts. -- Holger Levsen Thu, 19 Dec 2019 11:51:10 +0100 libpam-mklocaluser (0.16) unstable; urgency=medium * Team upload. [ Wolfgang Schweer ] * debian/pam-python.py: Converted using 2to3 and manual edit afterwards (dirmode). Closes: #936899 * debian/{control,rules}: Adjusted to match python3. [ Holger Levsen ] * Bump Standards-Version to 4.4.1, no changes needed. -- Holger Levsen Thu, 12 Dec 2019 12:30:55 +0100 libpam-mklocaluser (0.15) unstable; urgency=medium * Team upload. * d/control: - bump Standards-Version to 4.4.0, no changes needed. - bump debhelper-compat to 12. -- Holger Levsen Wed, 14 Aug 2019 12:56:35 +0200 libpam-mklocaluser (0.14) unstable; urgency=medium * Team upload. * d/control: - bump Standards-Version to 4.3.0, no changes needed. - use canonical URL for Vcs-Git, thanks lintian. -- Holger Levsen Wed, 16 Jan 2019 14:59:54 +0100 libpam-mklocaluser (0.13) unstable; urgency=medium * Team upload. [ Holger Levsen ] * d/control: - Bump debian/compat from 9 to 11. - Use the new debhelper-compat(=11) notation and drop d/compat. - Add "Rules-Requires-Root: no" to support building as non-root. * Bump Standards-Version to 4.2.1, no changes needed. * Add d/source/format documenting the use of source format 1.0. * d/postinst and prerm: use 'set -e' in the script body, thanks lintian. * d/copyright: Use https for copyright format URI. -- Holger Levsen Mon, 15 Oct 2018 20:31:01 +0200 libpam-mklocaluser (0.12) unstable; urgency=medium * Team upload. [ Holger Levsen ] * d/control: - switch packaging to salsa.debian.org. Thanks to the alioth admins for providing such a nice service so long! - bump Standards-Version to 4.1.4, no changes needed. -- Holger Levsen Thu, 31 May 2018 10:57:44 +0000 libpam-mklocaluser (0.11) unstable; urgency=low * Corrected dh invocation in d/rules. * Moved from debhelper 7 to 9. * Changed Standards-Version from 3.9.5 to 3.9.8. * Removed Morten Werner Forsbring as uploader. Thank you for all your good work. * Added copyright info to python code. * Converted d/copyright to machine readable format. * Document git tag format in d/gpb.conf. -- Petter Reinholdtsen Thu, 22 Dec 2016 09:25:33 +0000 libpam-mklocaluser (0.10) unstable; urgency=high * Using urgency high to fix RC bug quickly. * Make sure to add trailing newline when updating /etc/passwd and /etc/shadow. This is an RC bug blocking the package from working. * Change priority from extra to optional to match the archive override file. * Switch from python-support to dh-python. -- Petter Reinholdtsen Thu, 14 Aug 2014 14:40:23 +0200 libpam-mklocaluser (0.9) unstable; urgency=low * Update standard-version from 3.9.2 to 3.9.5. No changes needed. * Make PAM module more robust: * Add to /etc/passwd and /etc/shadow using python code instead of calling "echo 'something' >> /etc/file" in a subshell. * Do not try to syslog an exception, as a string is needed in newer python versions. * Do not call chown -R, implement it in python instead. * Correct test pam_handler function arguments and make it output more info during testing. * Make sure syslog message make it clear that both passwd and shadow is updated by the module. * Change priority from optional to extra, as it depend on libpam-python which is priority extra, to avoid priority inversion. * Source is moved to git. Update Vcs-* control file fields. -- Petter Reinholdtsen Mon, 09 Jun 2014 20:49:55 +0200 libpam-mklocaluser (0.8) unstable; urgency=low * Rewrite runcmd() to work with Python on Wheezy (Closes: #706753). -- Petter Reinholdtsen Sat, 04 May 2013 08:25:53 +0200 libpam-mklocaluser (0.8~deb7u1) wheezy; urgency=low * Rewrite runcmd() to work with Python on Wheezy (Closes: #706753). -- Petter Reinholdtsen Sat, 04 May 2013 08:25:53 +0200 libpam-mklocaluser (0.7) unstable; urgency=low * Rewrite how Popen() is used to ensure the script wait for the subprocesses to start before looking for their status (Closes: #634829). Patch from Wolfgang Schulze-Zachau. * Update standards-version from 3.9.1 to 3.9.2. No changes needed. -- Petter Reinholdtsen Thu, 28 Jul 2011 19:20:32 +0200 libpam-mklocaluser (0.6) unstable; urgency=low * Make module more robust. Move group lookup into the code path where it is used, to avoid failing if the group is missing when the user is already available locally (Closes: #597174). * Add code to handle missing primary group information when creating the local user. * Change module to only run /usr/sbin/nscd if it exist (Closes: #597241). * Update standards-version from 3.8.4 to 3.9.1. No changes needed. -- Petter Reinholdtsen Sat, 18 Sep 2010 16:55:27 +0200 libpam-mklocaluser (0.5) unstable; urgency=low * Do not create local home directory if the directory mentioned in passwd already exist. -- Petter Reinholdtsen Fri, 23 Jul 2010 18:27:14 +0200 libpam-mklocaluser (0.4) unstable; urgency=low [ Morten Werner Forsbring ] * Do not add localuser if it already exist in /etc/passwd. * Add build-dependency on python-support. * Make sure that dh_pysupport is run during build. * Added myself as uploader. -- Petter Reinholdtsen Tue, 01 Jun 2010 21:01:16 +0200 libpam-mklocaluser (0.3) unstable; urgency=low * Make sure the path to the original home directory and the user name of the user logging in is passed on to the hook scripts. -- Petter Reinholdtsen Wed, 19 May 2010 14:38:03 +0200 libpam-mklocaluser (0.2) unstable; urgency=low * Correct typo in pam-configs entry causing the PAM module to fail. -- Petter Reinholdtsen Wed, 19 May 2010 11:08:19 +0200 libpam-mklocaluser (0.1) unstable; urgency=low * Initial release. -- Petter Reinholdtsen Mon, 17 May 2010 19:54:09 +0200 libpam-mklocaluser/debian/control0000644000000000000000000000214413574422146014365 0ustar Source: libpam-mklocaluser Section: misc Priority: optional Maintainer: Debian Edu Developers Uploaders: Petter Reinholdtsen Build-Depends: debhelper-compat (= 12), python3, dh-python Standards-Version: 4.4.1 Rules-Requires-Root: no Homepage: http://www.skolelinux.org/ Vcs-Browser: https://salsa.debian.org/debian-edu/upstream/libpam-mklocaluser Vcs-Git: https://salsa.debian.org/debian-edu/upstream/libpam-mklocaluser.git Package: libpam-mklocaluser Architecture: all Depends: ${misc:Depends}, ${python3:Depends}, libpam-python Suggests: libpam-ccreds (>= 10-4) | libpam-sss Description: Configure PAM to create a local user if it do not exist already When the user log in for the first time, a local user is created in /etc/passwd and primary group created in /etc/group, and a local home directory is created in /home. This is useful on roaming computers when the password is set up to be cached by for example libpam-ccreds or sssd to allow login without network connectivity using the password provided by a network authentication service like Kerberos or LDAP. libpam-mklocaluser/debian/copyright0000644000000000000000000000240313361152737014713 0ustar Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: libpam-mklocaluser Source: http://svn.debian.org/wsvn/debian-edu/trunk/src/libpam-mklocaluser/ Files: * Copyright: 2010-2016 Petter Reinholdtsen 2010 Morten Werner Forsbring License: GPL-2+ Licensed under the GNU General Public License Version 2 . This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. . The FSF address in the above text is the old one. . On Debian systems, the complete text of the GNU General Public License Version 2 can be found in `/usr/share/common-licenses/GPL-2'. libpam-mklocaluser/debian/gbp.conf0000644000000000000000000000004113303751642014367 0ustar [DEFAULT] debian-tag=%(version)s libpam-mklocaluser/debian/libpam-mklocaluser.install0000644000000000000000000000015313303751642020127 0ustar debian/pam-auth-update/mklocaluser usr/share/pam-configs debian/pam-python.py usr/lib/libpam-mklocaluser libpam-mklocaluser/debian/libpam-mklocaluser.postinst0000644000000000000000000000007213361155607020347 0ustar #! /bin/sh set -e pam-auth-update --package #DEBHELPER# libpam-mklocaluser/debian/libpam-mklocaluser.prerm0000644000000000000000000000011713361155625017611 0ustar #! /bin/sh set -e pam-auth-update --package --remove mklocaluser #DEBHELPER# libpam-mklocaluser/debian/pam-auth-update/0000755000000000000000000000000013303751642015751 5ustar libpam-mklocaluser/debian/pam-auth-update/mklocaluser0000644000000000000000000000034413303751642020216 0ustar Name: Create local accounts and home directory on first time login Default: yes Priority: 0 Session-Interactive-Only: yes Session-Type: Additional Session-Final: required pam_python.so /usr/lib/libpam-mklocaluser/pam-python.py libpam-mklocaluser/debian/pam-python.py0000755000000000000000000001604013576652653015445 0ustar #!/usr/bin/env python3 # Copyright (C) 2010-2016 Petter Reinholdtsen # 2010 Morten Werner Forsbring # # Licensed under the GNU General Public License Version 2 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA # 02110-1301, USA. __author__ = "Petter Reinholdtsen " # # Create local user and redirected home directory. # If the local user logging in have uid >= 1000, create primary group # and user in /etc/passwd and /etc/group, and create a home directory # under /home/ if none exist already. import os import sys import pwd import grp import subprocess import shutil import math import time import syslog def append_line(filename, line): f = open(filename, 'a') f.write(line) f.close() def chown_recursive(path, uid, gid): os.chown(path, uid, gid) for root, dirs, files in os.walk(path): for dirname in dirs: os.chown(os.path.join(root, dirname), uid, gid) for filename in files: os.chown(os.path.join(root, filename), uid, gid) def runcmd(pamh, cmd): proc = subprocess.Popen(cmd, shell=True, \ stdout=subprocess.PIPE, \ stderr=subprocess.PIPE,) while proc.poll() == None: pass (resultstdout, resultstderr) = proc.communicate(input=None) if proc.returncode != 0: msg = "Command '%s' failed with %s" % ( cmd, resultstderr.strip()) syslog.syslog(msg) # print "output: %s" % msg def check_and_create_localuser(pamh, user): # Location of local users topdir = "/home" # Ignore users with uid below this one minimum_uid = 1000 # Create user entries with this shell shell = '/bin/bash' # File mode of new home directory dirmode = 0o700 # Last password change, use today pwlastchange = math.floor(time.time() / (60 * 60 * 24 )) pwminage = 0 pwmaxage = 99999 pwwarn = 7 # Fetch current user and group info, possibly from LDAP or NIS. userinfo = pwd.getpwnam(user) uid = userinfo[2] gid = userinfo[3] gecos = userinfo[4] homedir = userinfo[5] # Ignore users with uid < 1000 if userinfo[2] < minimum_uid: return pamh.PAM_SUCCESS # Ignore users with existing entry in /etc/passwd cmd = "/bin/grep \"^%s:\" /etc/passwd >/dev/null" % user proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, ) while proc.poll() == None: pass result = proc.communicate(input=None)[0] if proc.returncode == 0: return pamh.PAM_SUCCESS if None == homedir: syslog.syslog("Home directory is not set for user %s" % user) return pamh.PAM_USER_UNKNOWN newhomedir = os.path.join(topdir, user) if not os.path.isdir(homedir) and not os.path.isdir(newhomedir): try: groupinfo = grp.getgrgid(gid) groupname = groupinfo[0] except KeyError as e: syslog.syslog("Unknown primary group with gid %d" % gid) groupname = "[unknown]" syslog.syslog("Creating local passwd/shadow entry uid=%d(%s) gid=%d(%s) gecos='%s' home=%s" % (uid, user, gid, groupname, gecos, newhomedir)) try: # Add user entry with overridden home directory in /etc/passwd. # Can not use adduser, as it refuses to add a user if it already # is visible via NSS. append_line('/etc/passwd', \ "%s:x:%d:%d:%s:%s:%s\n" % \ (user, uid, gid, gecos, newhomedir, shell)) # Add shadow entry too. # FIXME Should only add it if it is missing. append_line('/etc/shadow', \ "%s:x:%d:%d:%d:%d:::\n" \ % (user, pwlastchange, pwminage, pwmaxage, pwwarn)) syslog.syslog("Creating local home directory for user '%s'" % user) # Copy content of /etc/skel shutil.copytree("/etc/skel/.", newhomedir, True) # Change perm of new home dir os.chmod(newhomedir, dirmode) chown_recursive(newhomedir, uid, gid) # Flush nscd cache to get rid of original user entry if os.access("/usr/sbin/nscd", os.X_OK): runcmd(pamh, "/usr/sbin/nscd -i passwd") # Hook for adjusting the freshly created home directory # FIXME Should be rewritten in python, I guess runcmd(pamh, "if [ -d /etc/mklocaluser.d ]; then ORIGHOMEDIR='%s' USER='%s' /bin/run-parts /etc/mklocaluser.d ; fi" % (homedir, user)) # Let the user know what is going on msg = pamh.Message(pamh.PAM_TEXT_INFO, "Local user created in /home/, please log in again to start using it.") pamh.conversation(msg) # Throw out user, as the log process cached the home directory # and need to be restarted. return pamh.PAM_TRY_AGAIN except Exception as e: syslog.syslog("Failure while creating local user: %s " % (e)) pass return pamh.PAM_SUCCESS def pam_sm_setcred(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_authenticate(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_acct_mgmt(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_open_session(pamh, flags, argv): syslog.openlog("pam_mklocaluser", syslog.LOG_PID, syslog.LOG_AUTH) try: user = pamh.get_user(None) except pamh.exception as e: return e.pam_result if user == None: syslog.syslog("No user, ignoring pam-python for mklocaluser") return pamh.PAM_USER_UNKNOWN # Only create local users for console logins try: if pamh.rhost != None and 0 != len(pamh.rhost): syslog.syslog("Remote login, ignoring pam-python for mklocaluser") return pamh.PAM_SUCCESS except pamh.exception as e: return e.pam_result try: return check_and_create_localuser(pamh, user) except KeyError as e: syslog.syslog("Unknown username, should never happen: %s" % e) return pamh.PAM_USER_UNKNOWN except Exception as e: syslog.syslog("Unexpected exception, should never happen: %s" % e) return pamh.PAM_SYSTEM_ERR def pam_sm_close_session(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_chauthtok(pamh, flags, argv): return pamh.PAM_SUCCESS # Test if the code work. Argument is username to simulate login for. if __name__ == '__main__': syslog.openlog("pam_mklocaluser", syslog.LOG_PID, syslog.LOG_AUTH) class pam_handler: PAM_SUCCESS = 1 PAM_USER_UNKNOWN = 2 PAM_SYSTEM_ERR = 3 PAM_TRY_AGAIN = 4 PAM_TEXT_INFO = 5 def Message(self, tag, str): return str def conversation(self, msg): print("PAM conversation: " + msg) return pamh = pam_handler() user = sys.argv[1] check_and_create_localuser(pamh, user) libpam-mklocaluser/debian/rules0000755000000000000000000000005613574421734014044 0ustar #!/usr/bin/make -f %: dh "$@" --with python3 libpam-mklocaluser/debian/source/0000755000000000000000000000000013361153207014252 5ustar libpam-mklocaluser/debian/source/format0000644000000000000000000000000413361153207015457 0ustar 1.0