pam_motd: Support multiple directory paths to motd files, with filename overrides

[rfairley]

pam_motd: Support multiple directory paths to motd files, with filename overrides

As part of Fedora CoreOS, we would like to show a motd snippet that has been generated at runtime upon SSH login, in order to show updated system information (coreos/fedora-coreos-tracker#36).

This is similar to what the cockpit project currently does by having a systemd service unit generate and drop a file under /run/cockpit/ (#47).

A current way to have PAM show a generated motd snippet is to symlink to a file from the user config directory /etc/motd.d/. Say hello-pkg is a package that displays a generated motd snippet as part of its functionality, hello.motd. The symlink may look like this:

/etc/motd.d/hello.motd -> /run/hello-pkg/motd.d/hello.motd

Where one runs into issues with this is needing SELinux configuration to be updated to allow PAM to read a file existing in /run/hello-pkg/. To have the change reflected in Fedora upstream, the selinux-policy package needs to be updated with this config.

For most use cases, one should be able to drop or install a generated motd snippet in a general (non-package-specific) directory and have it display, without needing to change the SELinux config. One should also not need to install symlinks or create package-specific directories to house motd snippets associated with the package.

design

A design of the feature we are discussing is:

• Have pam_motd by default search the following directories, highest priority first:

  /etc/motd.d/
  /run/motd.d/
  /usr/lib/motd.d/
  

  A default argument looks like motd_dir=/etc/motd.d/:/run/motd.d/:/usr/lib/motd.d/.

  The snippets existing in the above directories are sourced in lexicographic order by filename.

  Files in /etc/motd.d/ override files of the same name in /run/motd.d/ and /usr/lib/motd.d/. Files in /run/motd.d/ override files of the same name in /usr/lib/motd.d/. This is similar to how systemd handles tmpfiles.d https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html.

  Users may also override snippets by creating a symlink to /dev/null in a higher priority directory with the same filename.

• Passing a motd_dir argument to pam_motd with alternative directories to follow will override the default behaviour (e.g. session optional pam_motd.so motd_dir=/etc/motd.d/:/var/motd.d/:/usr/lib/motd.d/) would search in /etc/motd.d/ first, then /var/motd.d/, then /usr/lib/motd.d/.

• The same ideas apply for /etc/motd, /run/motd, /usr/lib/motd.

Upstream changes involved:

• Modify the selinux-policy to allow PAM to read motd snippets in the default directories /run/motd.d/ and /usr/lib/motd.d/. Packages can then install static motd-related to files to /usr/lib/motd.d/, and drop generated files to /run/motd.d/.

additional information

We currently have a Rust prototype which implements the default behaviour, with a demo.

The change proposed in this issue would modify the pam_motd module of this repository to implement the change upstream.

I can work on this.

How does this sound? Appreciate feedback and suggestions. Thanks!