Using pam_exec.so to run a script as root when a user logs in (while extracting user information)?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Question
How can I run a script as root when a user logs in with pam_exec.so
(or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a scriptâÂÂ/path/script.sh
âÂÂas root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth
and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su
, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER
in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc
or others to run it.
If I set the command in /etc/pam.d/system-auth
to run on auth
and not session
(as suggested by similar questions), it never runs.
Edit
Adding seteuid
to the pam_exec.so
command allows the script to run when the user authenticates (su - robot7
), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
add a comment |Â
up vote
1
down vote
favorite
Question
How can I run a script as root when a user logs in with pam_exec.so
(or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a scriptâÂÂ/path/script.sh
âÂÂas root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth
and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su
, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER
in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc
or others to run it.
If I set the command in /etc/pam.d/system-auth
to run on auth
and not session
(as suggested by similar questions), it never runs.
Edit
Adding seteuid
to the pam_exec.so
command allows the script to run when the user authenticates (su - robot7
), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Question
How can I run a script as root when a user logs in with pam_exec.so
(or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a scriptâÂÂ/path/script.sh
âÂÂas root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth
and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su
, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER
in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc
or others to run it.
If I set the command in /etc/pam.d/system-auth
to run on auth
and not session
(as suggested by similar questions), it never runs.
Edit
Adding seteuid
to the pam_exec.so
command allows the script to run when the user authenticates (su - robot7
), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
Question
How can I run a script as root when a user logs in with pam_exec.so
(or otherwise)? The script requires information about the user to function.
Problem and Environment
I would like to run a scriptâÂÂ/path/script.sh
âÂÂas root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.
I am currently editing /etc/pam.d/system-auth
and adding the following line:
session optional pam_exec.so /path/script.sh
This works fine when I become the user with sudo su
, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,
$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$
fails while
$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$
works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER
in the second case is the correct username (robot7, not root).
This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc
or others to run it.
If I set the command in /etc/pam.d/system-auth
to run on auth
and not session
(as suggested by similar questions), it never runs.
Edit
Adding seteuid
to the pam_exec.so
command allows the script to run when the user authenticates (su - robot7
), but does not run the script on SSH (which is the primary method with which users log in).
linux shell-script centos authentication pam
edited Jun 14 at 16:05
asked Jun 14 at 15:47
skyrocket
65
65
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd
logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin
and the errors immediately resolved themselves.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd
logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin
and the errors immediately resolved themselves.
add a comment |Â
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd
logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin
and the errors immediately resolved themselves.
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
The security context prevented the script from running. The systemd
logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin
and the errors immediately resolved themselves.
The security context prevented the script from running. The systemd
logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.
I moved the script to /bin
and the errors immediately resolved themselves.
answered Jun 14 at 16:53
skyrocket
65
65
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f449845%2fusing-pam-exec-so-to-run-a-script-as-root-when-a-user-logs-in-while-extracting%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password