#8: [PATCH] pam_exec: Support showing stdout via pam_info, and only running for
a specified module type
---------------------------+------------------------------
Reporter: joshtriplett | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: major | Component: modules
Version: | Keywords: patch
Blocked By: | Blocking:
---------------------------+------------------------------
The attached patches implement two new options for the pam_exec module.
Patch 1 adds a "stdout" option, which shows the stdout (and stderr) of
the executed command via pam_info. For instance, adding the following
line to /etc/pam.d/login right before the line for pam_motd:
{{{
session optional pam_exec.so stdout /usr/bin/seq 5
}}}
will print five lines (numbered 1-5) at the start and end of the
session. In order to implement this option without breaking the
existing support for the expose_authtok option, I had to
reorganize the file descriptor handling to move the loop that closes all
unwanted
file descriptors below all the code that sets up stdin/stdout/stderr,
and add some new code before that setup to ensure that none of the pipes
ended up on stdin/stdout/stderr where they might get closed by dup2.
Patch 2 adds a "type" option, which causes pam_exec to only execute the
command when the PAM module type matches the given type. In particular,
this makes it possible to run only at the start or end of a session,
without having to write a separate wrapper script to check the PAM_TYPE
environment variable. For example, adding the following to
/etc/pam.d/login right before the line for pam_motd:
{{{
session optional pam_exec.so type=open_session /bin/sleep 5
}}}
will sleep for 5 seconds at login time, but not at logout time,
demonstrating that the option works.
Together, these options make it possible to show dynamically generated
output at the start of a PAM session. For example, the following
pam_exec invocation produces the same output as the current dynamically
generated first line of the Debian motd:
{{{
session optional pam_exec.so type=open_session stdout /bin/uname -snrvm
}}}
(As an aside, I attempted to submit these patches to pam-
developers(a)lists.fedorahosted.org, but I couldn't seem to subscribe to
that list (no response to my subscription confirmation), and thus my mail
got moderated. Does pam-developers moderate subscriptions?)
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/8>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project