Using pam_exec.so to run a script as root when a user logs in (while extracting user information)?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Question



How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.



Problem and Environment



I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.



I am currently editing /etc/pam.d/system-auth and adding the following line:



session optional pam_exec.so /path/script.sh


This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,



$ su - robot7
Password:
/path/script.sh failed: exit code 1
-bash-4.2$


fails while



$ sudo su - robot7
Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
-bash-4.2$


works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).



This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.




If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.



Edit



Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).







share|improve this question

























    up vote
    1
    down vote

    favorite












    Question



    How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.



    Problem and Environment



    I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.



    I am currently editing /etc/pam.d/system-auth and adding the following line:



    session optional pam_exec.so /path/script.sh


    This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,



    $ su - robot7
    Password:
    /path/script.sh failed: exit code 1
    -bash-4.2$


    fails while



    $ sudo su - robot7
    Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
    -bash-4.2$


    works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).



    This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.




    If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.



    Edit



    Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).







    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Question



      How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.



      Problem and Environment



      I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.



      I am currently editing /etc/pam.d/system-auth and adding the following line:



      session optional pam_exec.so /path/script.sh


      This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,



      $ su - robot7
      Password:
      /path/script.sh failed: exit code 1
      -bash-4.2$


      fails while



      $ sudo su - robot7
      Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
      -bash-4.2$


      works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).



      This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.




      If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.



      Edit



      Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).







      share|improve this question













      Question



      How can I run a script as root when a user logs in with pam_exec.so (or otherwise)? The script requires information about the user to function.



      Problem and Environment



      I would like to run a script—/path/script.sh—as root each time a user logs in. I also need to know the user who logged in (as an environment variable or argument to the script, for example). I am on a recent version of CentOS 7.



      I am currently editing /etc/pam.d/system-auth and adding the following line:



      session optional pam_exec.so /path/script.sh


      This works fine when I become the user with sudo su, but does not work if I authenticate to the user otherwise (the script must run as root). In other words,



      $ su - robot7
      Password:
      /path/script.sh failed: exit code 1
      -bash-4.2$


      fails while



      $ sudo su - robot7
      Last login: Thu Jun 14 09:33:56 MDT 2018 on pts/5
      -bash-4.2$


      works and runs the script as expected with one caveat: the script also runs when users disconnect. The variable $PAM_USER in the second case is the correct username (robot7, not root).



      This script will be used in a production environment where users must not be able to disable it and may have different shells; I cannot use scripts like .bashrc or others to run it.




      If I set the command in /etc/pam.d/system-auth to run on auth and not session (as suggested by similar questions), it never runs.



      Edit



      Adding seteuid to the pam_exec.so command allows the script to run when the user authenticates (su - robot7), but does not run the script on SSH (which is the primary method with which users log in).









      share|improve this question












      share|improve this question




      share|improve this question








      edited Jun 14 at 16:05
























      asked Jun 14 at 15:47









      skyrocket

      65




      65




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.



          I moved the script to /bin and the errors immediately resolved themselves.






          share|improve this answer





















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f449845%2fusing-pam-exec-so-to-run-a-script-as-root-when-a-user-logs-in-while-extracting%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote



            accepted










            The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.



            I moved the script to /bin and the errors immediately resolved themselves.






            share|improve this answer

























              up vote
              0
              down vote



              accepted










              The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.



              I moved the script to /bin and the errors immediately resolved themselves.






              share|improve this answer























                up vote
                0
                down vote



                accepted







                up vote
                0
                down vote



                accepted






                The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.



                I moved the script to /bin and the errors immediately resolved themselves.






                share|improve this answer













                The security context prevented the script from running. The systemd logs suggested the script was failing to run even though all users were permitted to execute it; some security policy didn't like the script's path.



                I moved the script to /bin and the errors immediately resolved themselves.







                share|improve this answer













                share|improve this answer



                share|improve this answer











                answered Jun 14 at 16:53









                skyrocket

                65




                65






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f449845%2fusing-pam-exec-so-to-run-a-script-as-root-when-a-user-logs-in-while-extracting%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?