Pam_preprofile 1.1, a swiss army knife for PAM

Pam preprofile is a PAM module that ensures that some program or script is run each time a user logs into the computer. It’s suited for network administrators when they can’t rely on a particular shell to execute the user’s .profile, .bash_profile, .bashrc or similar… because sometimes the user home directory doesn’t even exist yet.

There are already many PAM modules out there, each one suited to a particular need (mounting shares, creating tmp dirs, etc.), but the real advantage of pam_preprofile is its versatility. Pam_preprofile can be used to satisfy any need not being implemented by any existing PAM module at this time but which can be written as a script by the system admin.

The configuration is simple. Just install the module at /lib/security/ and add this line at the end of /etc/pam.d/common-session:

session required pam_preprofile.so /tmp/myprogram.sh /usr/doc

That will call /tmp/myprogram.sh every time the user starts a session (logs into the desktop), passing it a “/usr/doc” parameter, plus an extra parameter with the username being authenticated.

In the previous version of the module, the script was executed always at the session stage. It was very helpful to create the user account. But some weeks ago, a network administrator presented me a scenario where he needed to execute the script each time the system asked the user for a password (that is, at “auth” stage), because the user info could have been updated meanwhile and some local configuration should be updated based on that.

I then improved the module and the new 1.1 version is out. It allow scripts to be executed in the PAM stage you want (account, auth, password and session), not only at the “session” stage allowed by the previous version.

Are you a network administrator? You can download it from:

http://community.igalia.com/twiki/bin/view/Corunix/ProjectDownloadStable