0

We have a setup where students log in (using LDAP auth) to Ubuntu 16.04 machines, where two network cards are installed: one to connect to the LAN and Ethernet, and the second one to expose a connection for user devices (e.g. Raspberry Pi). Currently, the secondary network interface (and the related iptables rules and dnsmasq daemon) is permanently up, but we'd like to have it up only while a user is locally logged in.

As far as I understand, using systemd it should be possible to have a service (which might be a script taking up or down the network interface) running when a user logs in and out. However, we'd need to make sure that only local logins would work for this (i.e., tty1-6 or the GUI login on lightdm) (this is for compliance reasons, as we can't leave around "free-to-use" network cables that can work without a proper user authentication), and I can't figure out in the documentation how to do this properly.

For now I tried this unit file:

[Unit]
Description=LAN sharing for users

[Service]
Type=oneshot
RemainAfterExit=false
Restart=no
ExecStart=/sbin/ifup eth1
ExecStop=/sbin/ifdown eth1

[Install]
WantedBy=default.target

But I can't manage to have this run as root at user login, nor how to ensure that this is a local login. Is this at all possible with systemd (on Ubuntu 16.04 LTS, i.e. systemd version 229-4), and how to properly implement it? I would expect this to be trivial (I would see this as giving privileges for a peripheral like sound card only to locally logged in users).

Ale
  • 1,613
  • 17
  • 25
  • Do remote users connect via SSH? If so, you could detect remote shells by their parent process (sshd). Perhaps you could have your service monitor for this condition and turn off the 'device' interface when detected? – DarkMatter Dec 12 '18 at 16:29
  • @DarkMatter yes remote users are via SSH. Looking for sshd seems indeed a good way to do this. So you'd suggest to make a script that users can invoke via sudo, and that script checks that the user is local before taking the interface up... and then running that script form a unit file placed in `/etc/systemd/user`? Or is there a way that a system service could be started on user logon (I'd prefer that version)? – Ale Dec 12 '18 at 16:54
  • Scripts in /etc/profile.d/ run on login – DarkMatter Dec 12 '18 at 16:56
  • Do the remote users have sudo privileges? – DarkMatter Dec 12 '18 at 16:56
  • @DarkMatter right about /etc/profile.d/ however this is run in the context of the user, I was hoping to find a solution that doesn't involve giving privileges the users and using existing tools, and `systemd` seemed to be a natural place to look at. No, user (both local and remote) do not have sudo privileges. – Ale Dec 12 '18 at 17:01
  • You could use setuid to give permission to your script and allow your users to execute the launch script without giving the users elevated permissions? – DarkMatter Dec 12 '18 at 17:13
  • Yes I could, but I'd like to avoid it as much as possible, setuid is always tricky to implement safely so people can't do privilege escalation... especially with scripts. – Ale Dec 12 '18 at 17:25
  • You could have your script continuously monitor the ssh logs to determine what state the interface should be? – DarkMatter Dec 12 '18 at 17:49
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/87037/discussion-between-ale-and-darkmatter). – Ale Dec 13 '18 at 15:42

0 Answers0