Bug#961254: libpam-mklocaluser: stop enforcing logout on initial login

[Mike Gabriel]

Package: libpam-mklocaluser
Version: 0.17
Severity: important











I'd love to see this issue solved in Debian buster, too.

This implicitly fixes Debian bug #760496.

Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de


diff --git a/debian/pam-python.py b/debian/pam-python.py
index fad6362..4780de1 100755
--- a/debian/pam-python.py
+++ b/debian/pam-python.py
@@ -147,14 +147,8 @@ def check_and_create_localuser(pamh, user):
       # FIXME Should be rewritten in python, I guess
       runcmd(pamh, "if [ -d /etc/mklocaluser.d ]; then ORIGHOMEDIR='%s' 
USER='%s' /bin/run-parts /etc/mklocaluser.d ; fi" % (homedir, user))
 
-      # Let the user know what is going on
-      msg = pamh.Message(pamh.PAM_TEXT_INFO,
-                         "Local user created in /home/, please log in again to 
start using it.")
-      pamh.conversation(msg)
-
-      # Throw out user, as the log process cached the home directory
-      # and need to be restarted.
-      return pamh.PAM_TRY_AGAIN
+      pamh.env['HOME'] = "/home/%s" % user
+
     except Exception as e:
       syslog.syslog("Failure while creating local user: %s " % (e))
       pass

The libpam-mklocaluser package is a core component of Debian Edu roaming workstations. It creates a local POSIX user account for users that exist e.g. in an LDAP database. The libpam-mklocaluser makes it possible to prep a machine for a user in a way that makes it possible to take the machine off-site. The libpam-mklocaluser package especially modifies the user's home directory when creating this local POSIX user account. Whatever HOME path people have in LDAP, on the roaming workstation, all users are shoved into /home/<user>. Over years, however, there has been a design flaw in the tool which I could solve last night by reading the pam_python.so code. The design flaw has been: The current version of libpam-mklocaluser enforces a session logout when users do their initial login into a machine. Thus, in class room situations, all students have to login twice into a notebook/tablet before they can actually use their computers. This takes a way 5 minutes of the class's lesson and could be avoided. Attached is a patch that drops the enforcement of the re-login and manipulates the HOME env var after the local POSIX user account has been fully prepared by libpam-mklocaluser.

pgpxZk0hRVx6I.pgp
Description: Digitale PGP-Signatur