I want to implement conditions for PAM_TYPE open_session and close_session. With this I can trigger different actions at different times for login and logout.
I have a script which tests for the variable PAM_TYPE and give appropriate exit codes: exit 0 for success and exit 1 otherwise.
But I get weird problems with the assembly; pam_exec don't get the right exit codes from the script.
Here is my implementation for testing:
In /etc/pam.d/common-session I have added:
session [success=ignore default=1] pam_exec.so debug seteuid /usr/sbin/test.sh logout
session optional pam_exec.so debug log=/tmp/test_pam.txt /bin/echo "logout reached"
session [success=1 default=ignore] pam_exec.so debug seteuid /usr/sbin/test.sh logout
session optional pam_exec.so debug log=/tmp/test_pam.txt /bin/echo "login reached"
The script /usr/sbin/test.sh is
#!/bin/bash
# some actions
# invocted by pam_exec.so
echo $PAM_TYPE
case $1 in
logout)
if [ $PAM_TYPE == "close_session" ]; then echo $PAM_TYPE; exit 0; else exit 1; fi
;;
esac
When I make a su to an user and immediately a logout I get in the log-file
$ cat /tmp/test_pam.txt
*** Mon Jun 3 12:14:07 2019
"login reached"
*** Mon Jun 3 12:15:00 2019
"login reached"
This behavior is weird. The last line must be logout reached.
So Pam takes every time the condition to false. But for testing I have placed echo $PAM_TYPE; in the true-condition and this echo is displayed in the terminal by logout. So the if Statement leads to true with exit 0 but pam_exec takes it as false.
Has someone an idea what is going wrong?
Thanks in advance,
Helge
I have this answer from another site:
You cannot depend on jumps in PAM stack in the close_session calls. The pam module stack is "frozen" in the open_session and identical modules in the same order are invoked in the close_session call.
The behavior of my scripts is now clear: My approach is not possible!