Bug#961254: libpam-mklocaluser: stop enforcing logout on initial login

To: submit@bugs.debian.org
Subject: Bug#961254: libpam-mklocaluser: stop enforcing logout on initial login
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Fri, 22 May 2020 06:28:07 +0000
Message-id: <[🔎] 20200522062807.Horde.x1SY3XsGRF4mw29-O9hRnY0@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 961254@bugs.debian.org

Package: libpam-mklocaluser
Version: 0.17
Severity: important

The libpam-mklocaluser package is a core component of Debian Eduroaming workstations. It creates a local POSIX user account for usersthat exist e.g. in an LDAP database. The libpam-mklocaluser makes itpossible to prep a machine for a user in a way that makes it possibleto take the machine off-site.

The libpam-mklocaluser package especially modifies the user's homedirectory when creating this local POSIX user account. Whatever HOMEpath people have in LDAP, on the roaming workstation, all users areshoved into /home/<user>.

Over years, however, there has been a design flaw in the tool which Icould solve last night by reading the pam_python.so code.

The design flaw has been: The current version of libpam-mklocaluserenforces a session logout when users do their initial login into amachine. Thus, in class room situations, all students have to logintwice into a notebook/tablet before they can actually use theircomputers. This takes a way 5 minutes of the class's lesson and couldbe avoided.

Attached is a patch that drops the enforcement of the re-login andmanipulates the HOME env var after the local POSIX user account hasbeen fully prepared by libpam-mklocaluser.


I'd love to see this issue solved in Debian buster, too.

This implicitly fixes Debian bug #760496.

Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

diff --git a/debian/pam-python.py b/debian/pam-python.py
index fad6362..4780de1 100755
--- a/debian/pam-python.py
+++ b/debian/pam-python.py
@@ -147,14 +147,8 @@ def check_and_create_localuser(pamh, user):
       # FIXME Should be rewritten in python, I guess
       runcmd(pamh, "if [ -d /etc/mklocaluser.d ]; then ORIGHOMEDIR='%s' USER='%s' /bin/run-parts /etc/mklocaluser.d ; fi" % (homedir, user))
 
-      # Let the user know what is going on
-      msg = pamh.Message(pamh.PAM_TEXT_INFO,
-                         "Local user created in /home/, please log in again to start using it.")
-      pamh.conversation(msg)
-
-      # Throw out user, as the log process cached the home directory
-      # and need to be restarted.
-      return pamh.PAM_TRY_AGAIN
+      pamh.env['HOME'] = "/home/%s" % user
+
     except Exception as e:
       syslog.syslog("Failure while creating local user: %s " % (e))
       pass

Attachment: pgpZu5niTC8mj.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Bug#961254: libpam-mklocaluser: stop enforcing logout on initial login
  - From: Petter Reinholdtsen <pere@hungry.com>
- Processed: Bug#961254 marked as pending in libpam-mklocaluser
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#961254: marked as done (libpam-mklocaluser: stop enforcing logout on initial login)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Debian: Maybe handy lists.
Next by Date: Bug#961254: libpam-mklocaluser: stop enforcing logout on initial login
Previous by thread: Debian: Maybe handy lists.
Next by thread: Bug#961254: libpam-mklocaluser: stop enforcing logout on initial login
Index(es):
- Date
- Thread