8

When a user logs into a system and there is no home directory, we would like to to create the user's home directory using pam_mkhomedir. This is a common practice. Here's a quick description of pam_mkhomedir:

The pam_mkhomedir PAM module will create a users home directory if it does not exist when the session begins. This allows users to be present in central database (such as NIS, kerberos or LDAP) without using a distributed file system or pre-creating a large number of directories. The skeleton directory (usually /etc/skel/) is used to copy default files and also sets a umask for the creation.

However, this is a FreeBSD 8.2 system running ZFS. We need to execute a ZFS command first, because we want one ZFS file system per user. pam_mkhomedir can do a mkdir, but we need to do something like zfs create /zpool/home/$USER.

Does anyone know if it is possible to use PAM to execute commands during a user's first login session?

Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
  • I replaced the solarisinternals.com link with an archived version from archive.org, because the former is occupied by a domain squatter. Thanks to @Norman Gray for pointing it out. – Stefan Lasiewski Aug 11 '18 at 20:46

3 Answers3

9

There is a PAM module called pam_exec - if you write a script which checks for and/or creates the ZFS volume, you can chain this into your existing PAM rules and keep things nice without assuming interactive login, default shells & skeleton directories, etc. For example, you could have

session required pam_unix.so
session required pam_exec.so check_zfs.sh $PAM_USER

or whatever suits your specific setup.

(As Tom Shaw pointed out in the comments, having session required pam_mkhomedir.so would be redundant.)

EEAA
  • 109,363
  • 18
  • 175
  • 245
Andrew
  • 8,002
  • 3
  • 36
  • 44
  • Good except you have a typo in the pam_mkhomedir.so line - typos in pam.conf are not good! - and I don't think that line is needed anyway if the check_zfs.sh script does all the dirty work. – Tom Shaw May 25 '11 at 07:27
  • @Tom Why re-invent the wheel when the PAM module does it for you? – Andrew May 27 '11 at 00:28
  • 2
    The point of the question is he wants the home directory to be created with "zfs create" rather than "mkdir". This is accomplished by using pam_exec. The directory exists at this point so the subsequent pam_mkhomedir will do nothing! – Tom Shaw May 27 '11 at 00:55
  • @TomShaw indeed. – Andrew May 31 '13 at 03:57
3

It's worth pointing out, as asked, your question contains an invalid assumption: even PAM has no idea if it's the user's first login; it only knows whether the user has a home directory or not.

So, with that caveat in mind, it's not PAM doing it, but you could easily run something out of /etc/bashrc, with the command preceded by a check for, and followed by drop of, a dotfile in the user's home directory. Need root privs? Either an appropriately-locked-down sudo, or a setuid binary, will likely work best for you. Both options also give you the option of putting the dotfile somewhere where the user can't modify or delete it (if you care about that sort of thing).

BMDan
  • 7,249
  • 2
  • 23
  • 34
  • I'm confused. Isn't pam_mkhomedir creating these home directories, copying the contents of /etc/skel , etc? I glanced at the C code (On FreeBSD), and I thought I could see where it copies the skeleton files to the newly created homedir. – Stefan Lasiewski May 24 '11 at 03:30
  • Just because a user does not have a home directory does not mean they have not logged into that system before. The home directory could have been deleted for instance. However this is mostly semantic and splitting hairs. – Red Tux May 24 '11 at 04:10
  • @red : Understood. I updated my question. – Stefan Lasiewski May 24 '11 at 20:39
1

So you have two choices here:

1) modify the source for pam_mkhomedir to create the zfs file system first before making the directory. 2) let pam_mkhomedir run as it normally would, then add a script to check and see when there are folders not on their own zfs file system where the user has logged out. When you catch those cases, move the /home directory, make the file system, then move the files back into the directory.

I suspect leaving a user on the main /home for an initial day is not going to cause too many issues, so I would go for the latter option, its simpler.

n8whnp
  • 1,326
  • 7
  • 9