Using pam_exec.so to run a script as root when a user logs in (while extracting user information)?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Question
How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.
If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.
Edit
Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
asked Jun 14 at 15:47
skyrocket
65
add a comment |Â
up vote
1
down vote
favorite
Question
How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.
If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.
Edit
Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
asked Jun 14 at 15:47
skyrocket
65
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Question
How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.
If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.
Edit
Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
asked Jun 14 at 15:47
skyrocket
65
Question
How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.
If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.
Edit
Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
asked Jun 14 at 15:47
skyrocket
65
edited Jun 14 at 16:05
asked Jun 14 at 15:47
skyrocket
65
asked Jun 14 at 15:47
skyrocket
65
asked Jun 14 at 15:47
skyrocket
65
65
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin and the errors immediately resolved themselves.
answered Jun 14 at 16:53
skyrocket
65
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin and the errors immediately resolved themselves.
answered Jun 14 at 16:53
skyrocket
65
add a comment |Â
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin and the errors immediately resolved themselves.
answered Jun 14 at 16:53
skyrocket
65
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin and the errors immediately resolved themselves.
answered Jun 14 at 16:53
skyrocket
65
The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin and the errors immediately resolved themselves.
answered Jun 14 at 16:53
skyrocket
65
answered Jun 14 at 16:53
skyrocket
65
answered Jun 14 at 16:53
skyrocket
65
answered Jun 14 at 16:53
skyrocket
65
65
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f449845%2fusing-pam-exec-so-to-run-a-script-as-root-when-a-user-logs-in-while-extracting%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
