PAM Permissions Module
At my job, we use PAM to authentication and build home directories based on records in our LDAP directory. For this functionality, we use PADL Software's pam_ldap module, and the pam_mkhomedir module. On 32 of our 35 systems, this setup works without issue. What we're missing on the other three systems in custom group ownership for user home directories.
The other three servers, mentioned above, are our client-side file servers. These machines have special directory permissions for our client accounts, which put group ownership onto a company staff group for rwx permissions. These special permissions are to allow staff members full access to client files (without the need for root), and preventing access from other clients who may break out of the chroot/jail.
- Staff home directories, in /usr/home, should have standard permissions. (rwxr-xr-x, owner user/user-group)
- Client home directories, in /usr/home/users, should have a non-standard permission scheme. (rwxrwx---, owner user/company-staff)
My solution is to utilize the existing PAM stack to perform this function. To accomplish this, we're going to write our own PAM session module to check and update the home directory permissions for users we specify. In our case, we're using the home directory base for comparison. To begin, I followed a three part guide on Linux Dev Center. I've included the links here: