shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-03-12 08:58:20 +03:00
Code
systemd-stable/src/login/pam_systemd.c

689 lines
25 KiB
C
Raw Normal View History

Add SPDX license identifiers to source files under the LGPL This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
util: move logind_running() to login-util.[ch]
2015-10-24 23:30:40 +02:00
#include <endian.h>
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
#include <errno.h>
#include <fcntl.h>
#include <pwd.h>
#include <security/_pam_macros.h>
#include <security/pam_ext.h>
#include <security/pam_misc.h>
util: move logind_running() to login-util.[ch]
2015-10-24 23:30:40 +02:00
#include <security/pam_modules.h>
#include <security/pam_modutil.h>
#include <sys/file.h>
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
util-lib: split out allocation calls into alloc-util.[ch]
2015-10-27 03:01:06 +01:00
#include "alloc-util.h"
src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → capability-util.[ch] The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers.
2015-10-26 23:32:16 +01:00
#include "audit-util.h"
util: move logind_running() to login-util.[ch]
2015-10-24 23:30:40 +02:00
#include "bus-common-errors.h"
#include "bus-error.h"
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
#include "bus-util.h"
pam_systemd: sort includes properly
2018-07-20 11:35:57 +02:00
#include "cgroup-util.h"
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
#include "def.h"
util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.
2015-10-25 13:14:12 +01:00
#include "fd-util.h"
honor SELinux labels, when creating and writing config files Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
2013-02-14 12:26:13 +01:00
#include "fileio.h"
Rename formats-util.h to format-util.h We don't have plural in the name of any other -util files and this inconsistency trips me up every time I try to type this file name from memory. "formats-util" is even hard to pronounce.
2016-11-07 10:14:59 -05:00
#include "format-util.h"
util: split all hostname related calls into hostname-util.c
2015-05-18 17:10:07 +02:00
#include "hostname-util.h"
util: move logind_running() to login-util.[ch]
2015-10-24 23:30:40 +02:00
#include "login-util.h"
#include "macro.h"
util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]
2015-10-26 16:18:16 +01:00
#include "parse-util.h"
pam_systemd: sort includes properly
2018-07-20 11:35:57 +02:00
#include "path-util.h"
tree-wide: make use of getpid_cached() wherever we can This moves pretty much all uses of getpid() over to getpid_raw(). I didn't specifically check whether the optimization is worth it for each replacement, but in order to keep things simple and systematic I switched over everything at once.
2017-07-20 16:19:18 +02:00
#include "process-util.h"
util: move logind_running() to login-util.[ch]
2015-10-24 23:30:40 +02:00
#include "socket-util.h"
#include "strv.h"
#include "terminal-util.h"
#include "util.h"
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
static int parse_argv(
pam_handle_t *handle,
int argc, const char **argv,
const char **class,
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
const char **type,
pam_systemd: also make $XDG_SESSION_DESKTOP configurable via PAM module command line Let's make this symmetric with XDG_SESSION_CLASS and XDG_SESSION_TYPE, so that PAM stacks can configure this easily without involving env vars, in case there are PAM session managers which only support a single desktop anyway.
2018-07-20 11:01:18 +02:00
const char **desktop,
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
bool *debug) {
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
unsigned i;
assert(argc >= 0);
assert(argc == 0 || argv);
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
for (i = 0; i < (unsigned) argc; i++) {
logind: port over to use scopes+slices for all cgroup stuff In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.
2013-07-02 01:46:30 +02:00
if (startswith(argv[i], "class=")) {
pam_systemd: new option for the session class
2012-12-24 06:25:58 -07:00
if (class)
*class = argv[i] + 6;
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
} else if (startswith(argv[i], "type=")) {
if (type)
*type = argv[i] + 5;
pam_systemd: also make $XDG_SESSION_DESKTOP configurable via PAM module command line Let's make this symmetric with XDG_SESSION_CLASS and XDG_SESSION_TYPE, so that PAM stacks can configure this easily without involving env vars, in case there are PAM session managers which only support a single desktop anyway.
2018-07-20 11:01:18 +02:00
} else if (startswith(argv[i], "desktop=")) {
if (desktop)
*desktop = argv[i] + 8;
systemd_pam: treat debug as debug=1 and parse all params systemd_pam would ignore all params after the first invalid one. Instead ignore just this one, and parse the rest. There's just one now, but as a matter of principle ;) Also, allow debug as an alias for debug=1, and don't treat invalid debug= options as fatal.
2013-10-31 00:58:25 -04:00
} else if (streq(argv[i], "debug")) {
if (debug)
*debug = true;
logind: port over to use scopes+slices for all cgroup stuff In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.
2013-07-02 01:46:30 +02:00
systemd_pam: treat debug as debug=1 and parse all params systemd_pam would ignore all params after the first invalid one. Instead ignore just this one, and parse the rest. There's just one now, but as a matter of principle ;) Also, allow debug as an alias for debug=1, and don't treat invalid debug= options as fatal.
2013-10-31 00:58:25 -04:00
} else if (startswith(argv[i], "debug=")) {
int k;
pam-module: add debug= parameter It is customary that pam modules do not log debugging information by default. Usually they offer a 'debug' option. Add a boolean debug= option to pam_systemd.so. This will solve bug https://bugzilla.redhat.com/show_bug.cgi?id=705427 Commit 53d5582fa006b0eb528f5dc3f4ba978abd8ac5a3 was not sufficient to fix it, because in Fedora rsyslog is configured to write even LOG_DEBUG messages to /var/log/secure by default.
2011-05-27 01:29:34 +02:00
systemd_pam: treat debug as debug=1 and parse all params systemd_pam would ignore all params after the first invalid one. Instead ignore just this one, and parse the rest. There's just one now, but as a matter of principle ;) Also, allow debug as an alias for debug=1, and don't treat invalid debug= options as fatal.
2013-10-31 00:58:25 -04:00
k = parse_boolean(argv[i] + 6);
if (k < 0)
pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring.");
else if (debug)
pam-module: add debug= parameter It is customary that pam modules do not log debugging information by default. Usually they offer a 'debug' option. Add a boolean debug= option to pam_systemd.so. This will solve bug https://bugzilla.redhat.com/show_bug.cgi?id=705427 Commit 53d5582fa006b0eb528f5dc3f4ba978abd8ac5a3 was not sufficient to fix it, because in Fedora rsyslog is configured to write even LOG_DEBUG messages to /var/log/secure by default.
2011-05-27 01:29:34 +02:00
*debug = k;
systemd_pam: treat debug as debug=1 and parse all params systemd_pam would ignore all params after the first invalid one. Instead ignore just this one, and parse the rest. There's just one now, but as a matter of principle ;) Also, allow debug as an alias for debug=1, and don't treat invalid debug= options as fatal.
2013-10-31 00:58:25 -04:00
} else
logind: port over to use scopes+slices for all cgroup stuff In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.
2013-07-02 01:46:30 +02:00
pam_syslog(handle, LOG_WARNING, "Unknown parameter '%s', ignoring", argv[i]);
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
}
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
return 0;
}
static int get_user_data(
pam_handle_t *handle,
const char **ret_username,
struct passwd **ret_pw) {
pam: always rely on loginuid instead of uid to determine cgroup and XDG_RUNTIME_DIR
2010-11-16 00:10:57 +01:00
const char *username = NULL;
struct passwd *pw = NULL;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
int r;
assert(handle);
assert(ret_username);
assert(ret_pw);
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
r = pam_get_user(handle, &username, NULL);
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to get user name.");
return r;
}
pam: always rely on loginuid instead of uid to determine cgroup and XDG_RUNTIME_DIR
2010-11-16 00:10:57 +01:00
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
if (isempty(username)) {
pam_syslog(handle, LOG_ERR, "User name not valid.");
return PAM_AUTH_ERR;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
}
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
pw = pam_modutil_getpwnam(handle, username);
pam: always rely on loginuid instead of uid to determine cgroup and XDG_RUNTIME_DIR
2010-11-16 00:10:57 +01:00
if (!pw) {
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_syslog(handle, LOG_ERR, "Failed to get user data.");
return PAM_USER_UNKNOWN;
}
*ret_pw = pw;
pam_systemd: remove unused null check username was already checked with isempty() and cannot be null at this point. CID#1237766
2014-11-15 23:43:09 +01:00
*ret_username = username;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
return PAM_SUCCESS;
}
pam_systemd: move socket_from_display() from util.[ch] to pam_systemd.c It's highly specific, kinda legacy (X11…) and only used at one place, let's move this out of the common code, and into pam_systemd.c where it is used.
2018-07-20 11:36:10 +02:00
static int socket_from_display(const char *display, char **path) {
size_t k;
char *f, *c;
assert(display);
assert(path);
if (!display_is_local(display))
return -EINVAL;
k = strspn(display+1, "0123456789");
f = new(char, STRLEN("/tmp/.X11-unix/X") + k + 1);
if (!f)
return -ENOMEM;
c = stpcpy(f, "/tmp/.X11-unix/X");
memcpy(c, display+1, k);
c[k] = 0;
*path = f;
return 0;
}
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
Use initalization instead of explicit zeroing Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-03-24 19:59:00 -04:00
union sockaddr_union sa = {
.un.sun_family = AF_UNIX,
};
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
_cleanup_free_ char *p = NULL, *tty = NULL;
_cleanup_close_ int fd = -1;
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
struct ucred ucred;
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
int v, r;
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
assert(display);
assert(vtnr);
/* We deduce the X11 socket from the display name, then use
* SO_PEERCRED to determine the X11 server process, ask for
* the controlling tty of that and if it's a VC then we know
* the seat and the virtual terminal. Sounds ugly, is only
* semi-ugly. */
r = socket_from_display(display, &p);
if (r < 0)
return r;
be consistent about sun_path length Most places use the whole buffer for name, without leaving extra space for the trailing NUL.
2018-10-09 15:04:58 +02:00
strncpy(sa.un.sun_path, p, sizeof(sa.un.sun_path));
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
Use initalization instead of explicit zeroing Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.
2013-03-24 19:59:00 -04:00
if (fd < 0)
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
return -errno;
tree-wide: introduce new SOCKADDR_UN_LEN() macro, and use it everywhere The macro determines the right length of a AF_UNIX "struct sockaddr_un" to pass to connect() or bind(). It automatically figures out if the socket refers to an abstract namespace socket, or a socket in the file system, and properly handles the full length of the path field. This macro is not only safer, but also simpler to use, than the usual offsetof() + strlen() logic.
2016-05-05 22:24:36 +02:00
if (connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0)
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
return -errno;
util: unify SO_PEERCRED/SO_PEERSEC invocations Introduce new call getpeercred() which internally just uses SO_PEERCRED but checks if the returned data is actually useful due to namespace quirks.
2013-12-24 15:53:04 +01:00
r = getpeercred(fd, &ucred);
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
if (r < 0)
util: unify SO_PEERCRED/SO_PEERSEC invocations Introduce new call getpeercred() which internally just uses SO_PEERCRED but checks if the returned data is actually useful due to namespace quirks.
2013-12-24 15:53:04 +01:00
return r;
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
r = get_ctty(ucred.pid, NULL, &tty);
if (r < 0)
return r;
v = vtnr_from_tty(tty);
if (v < 0)
return v;
else if (v == 0)
return -ENOENT;
pam: work correctly if a seat is specified but not vtnr
2012-01-13 20:51:58 +01:00
if (seat)
*seat = "seat0";
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
*vtnr = (uint32_t) v;
return 0;
}
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
static int append_session_memory_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
uint64_t val;
int r;
if (isempty(limit))
return 0;
if (streq(limit, "infinity")) {
r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", (uint64_t)-1);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
return r;
}
} else {
tree-wide: increase granularity of percent specifications all over the place to permille We so far had various placed we'd parse percentages with parse_percent(). Let's make them use parse_permille() instead, which is downward compatible (as it also parses percent values), and increases the granularity a bit. Given that on the wire we usually normalize relative specifications to something like UINT32_MAX anyway changing from base-100 to base-1000 calculations can be done easily without breaking compat. This commit doesn't document this change in the man pages. While allowing more precise specifcations permille is not as commonly understood as perent I guess, hence let's keep this out of the docs for now.
2018-07-02 18:52:42 +02:00
r = parse_permille(limit);
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
if (r >= 0) {
tree-wide: increase granularity of percent specifications all over the place to permille We so far had various placed we'd parse percentages with parse_percent(). Let's make them use parse_permille() instead, which is downward compatible (as it also parses percent values), and increases the granularity a bit. Given that on the wire we usually normalize relative specifications to something like UINT32_MAX anyway changing from base-100 to base-1000 calculations can be done easily without breaking compat. This commit doesn't document this change in the man pages. While allowing more precise specifcations permille is not as commonly understood as perent I guess, hence let's keep this out of the docs for now.
2018-07-02 18:52:42 +02:00
r = sd_bus_message_append(m, "(sv)", "MemoryMaxScale", "u", (uint32_t) (((uint64_t) r * UINT32_MAX) / 1000U));
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
return r;
}
} else {
r = parse_size(limit, 1024, &val);
if (r >= 0) {
r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", val);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
return r;
}
} else
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.limit: %s, ignoring.", limit);
}
}
return 0;
}
pam_systemd: tiny coding style fix
2018-07-20 11:26:59 +02:00
static int append_session_tasks_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
uint64_t val;
int r;
/* No need to parse "infinity" here, it will be set unconditionally later in manager_start_scope() */
if (isempty(limit) || streq(limit, "infinity"))
return 0;
r = safe_atou64(limit, &val);
if (r >= 0) {
r = sd_bus_message_append(m, "(sv)", "TasksMax", "t", val);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
return r;
}
} else
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.limit: %s, ignoring.", limit);
return 0;
}
static int append_session_cg_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit, const char *field) {
uint64_t val;
int r;
pam_systemd: reduce append_session_cg_weight() indentation level a bit by moving to early exit
2018-07-20 11:41:17 +02:00
if (isempty(limit))
return 0;
r = cg_weight_parse(limit, &val);
if (r >= 0) {
r = sd_bus_message_append(m, "(sv)", field, "t", val);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
return r;
}
} else if (streq(field, "CPUWeight"))
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.cpu_weight: %s, ignoring.", limit);
else
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.io_weight: %s, ignoring.", limit);
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
return 0;
}
pam_systemd: simplify how we process env vars Let's introduce a single unified getenv() implementation for the various fields we need. No change in behaviour.
2018-07-20 10:58:27 +02:00
static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
const char *v;
assert(handle);
assert(key);
/* Looks for an environment variable, preferrably in the environment block associated with the specified PAM
* handle, falling back to the process' block instead. */
v = pam_getenv(handle, key);
if (!isempty(v))
return v;
v = getenv(key);
if (!isempty(v))
return v;
return fallback;
}
pam_systemd: simplify code which with we set environment variables Let's shorten things a bit by splitting out common code in a new function.
2018-07-20 11:27:55 +02:00
static int update_environment(pam_handle_t *handle, const char *key, const char *value) {
int r;
assert(handle);
assert(key);
/* Updates the environment, but only if there's actually a value set. Also, log about errors */
if (isempty(value))
return PAM_SUCCESS;
r = pam_misc_setenv(handle, key, value, 0);
if (r != PAM_SUCCESS)
pam_syslog(handle, LOG_ERR, "Failed to set environment variable %s.", key);
return r;
}
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
_public_ PAM_EXTERN int pam_sm_open_session(
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_handle_t *handle,
int flags,
int argc, const char **argv) {
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-27 19:13:45 +01:00
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL, *reply = NULL;
pam: externally our booleans are ints, not unsigneds
2013-11-07 00:20:11 +01:00
const char
*username, *id, *object_path, *runtime_path,
*service = NULL,
*tty = NULL, *display = NULL,
*remote_user = NULL, *remote_host = NULL,
*seat = NULL,
*type = NULL, *class = NULL,
pam_systemd: also make $XDG_SESSION_DESKTOP configurable via PAM module command line Let's make this symmetric with XDG_SESSION_CLASS and XDG_SESSION_TYPE, so that PAM stacks can configure this easily without involving env vars, in case there are PAM session managers which only support a single desktop anyway.
2018-07-20 11:01:18 +02:00
*class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL, *desktop_pam = NULL,
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
*memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL;
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-27 19:13:45 +01:00
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
pam: externally our booleans are ints, not unsigneds
2013-11-07 00:20:11 +01:00
int session_fd = -1, existing, r;
bool debug = false, remote;
struct passwd *pw;
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
uint32_t vtnr = 0;
uid_t original_uid;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
assert(handle);
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
PAM, uaccess: check for logind, not for systemd It is possible to build systemd without logind or run logind without systemd init. Commit 66e41181 fixed sd_booted() to only succeed for systemd init; with that, testing for systemd init is wrong in the parts that talk to logind. In particular, this affects the PAM module and the "uaccess" udev builtin. Change sd_booted() to a new logind_running() which tests for /run/systemd/seats/. For details, see: <https://mail.gnome.org/archives/desktop-devel-list/2013-March/msg00092.html> https://bugs.freedesktop.org/show_bug.cgi?id=62754
2013-03-26 11:36:31 +01:00
/* Make this a NOP on non-logind systems */
if (!logind_running())
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
return PAM_SUCCESS;
pam: introduce whitelist and blacklist user list feature This is useful to exclude root from the session logout killings or to limit killing to the selinux guest users.
2011-02-13 18:21:11 +01:00
if (parse_argv(handle,
argc, argv,
logind: port over to use scopes+slices for all cgroup stuff In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.
2013-07-02 01:46:30 +02:00
&class_pam,
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
&type_pam,
pam_systemd: also make $XDG_SESSION_DESKTOP configurable via PAM module command line Let's make this symmetric with XDG_SESSION_CLASS and XDG_SESSION_TYPE, so that PAM stacks can configure this easily without involving env vars, in case there are PAM session managers which only support a single desktop anyway.
2018-07-20 11:01:18 +02:00
&desktop_pam,
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
&debug) < 0)
return PAM_SESSION_ERR;
pam: duplicate cgroup tree in the cpu hierarchy by default, optionally more
2010-11-17 20:22:07 +01:00
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
if (debug)
pam: use correct log level
2014-02-10 16:37:09 +01:00
pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing");
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
r = get_user_data(handle, &username, &pw);
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to get user data.");
return r;
}
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam: initialize XDG_RUNTIME_DIR
2011-06-30 04:31:49 +02:00
/* Make sure we don't enter a loop by talking to
* systemd-logind when it is actually waiting for the
* background to finish start-up. If the service is
Add pam configuration to allow user sessions to work out of the box systemd-logind will start user@.service. user@.service unit uses PAM with service name 'systemd-user' to perform account and session managment tasks. Previously, the name was 'systemd-shared', it is now changed to 'systemd-user'. Most PAM installations use one common setup for different callers. Based on a quick poll, distributions fall into two camps: those that have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia, Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE). Distributions that have system-auth have just one configuration file that contains auth, password, account, and session blocks, and distributions that have common-auth also have common-session, common-password, and common-account. It is thus impossible to use one configuration file which would work for everybody. systemd-user now refers to system-auth, because it seems that the approach with one file is more popular and also easier, so let's follow that.
2013-09-11 14:31:14 -04:00
* "systemd-user" we simply set XDG_RUNTIME_DIR and
pam: initialize XDG_RUNTIME_DIR
2011-06-30 04:31:49 +02:00
* leave. */
pam_get_item(handle, PAM_SERVICE, (const void**) &service);
Add pam configuration to allow user sessions to work out of the box systemd-logind will start user@.service. user@.service unit uses PAM with service name 'systemd-user' to perform account and session managment tasks. Previously, the name was 'systemd-shared', it is now changed to 'systemd-user'. Most PAM installations use one common setup for different callers. Based on a quick poll, distributions fall into two camps: those that have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia, Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE). Distributions that have system-auth have just one configuration file that contains auth, password, account, and session blocks, and distributions that have common-auth also have common-session, common-password, and common-account. It is thus impossible to use one configuration file which would work for everybody. systemd-user now refers to system-auth, because it seems that the approach with one file is more popular and also easier, so let's follow that.
2013-09-11 14:31:14 -04:00
if (streq_ptr(service, "systemd-user")) {
login: simply XDG_RUNTIME_DIR management Lets not pretend we support changing XDG_RUNTIME_DIR via logind state files. There is no reason to ever write the string into /run, as we allocate it statically based on the UID, anyway. Lets stop that and just allocate the runtime_path in "struct User" at all times. We keep writing it into the /run state to make sure pam_systemd of previous installs can still read it. However, pam_systemd is now fixed to allocate it statically as well, so we can safely remove that some time in the future. Last but not least: If software depends on systemd, they're more than free to assume /run/user/$uid is their runtime dir. Lets not require sane applications to query the environment to get their runtime dir. As long as applications know their login-UID, they should be safe to deduce the runtime dir.
2015-09-28 12:53:42 +02:00
_cleanup_free_ char *rt = NULL;
pam: initialize XDG_RUNTIME_DIR
2011-06-30 04:31:49 +02:00
login: simply XDG_RUNTIME_DIR management Lets not pretend we support changing XDG_RUNTIME_DIR via logind state files. There is no reason to ever write the string into /run, as we allocate it statically based on the UID, anyway. Lets stop that and just allocate the runtime_path in "struct User" at all times. We keep writing it into the /run state to make sure pam_systemd of previous installs can still read it. However, pam_systemd is now fixed to allocate it statically as well, so we can safely remove that some time in the future. Last but not least: If software depends on systemd, they're more than free to assume /run/user/$uid is their runtime dir. Lets not require sane applications to query the environment to get their runtime dir. As long as applications know their login-UID, they should be safe to deduce the runtime dir.
2015-09-28 12:53:42 +02:00
if (asprintf(&rt, "/run/user/"UID_FMT, pw->pw_uid) < 0)
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
return PAM_BUF_ERR;
pam: initialize XDG_RUNTIME_DIR
2011-06-30 04:31:49 +02:00
login: simply XDG_RUNTIME_DIR management Lets not pretend we support changing XDG_RUNTIME_DIR via logind state files. There is no reason to ever write the string into /run, as we allocate it statically based on the UID, anyway. Lets stop that and just allocate the runtime_path in "struct User" at all times. We keep writing it into the /run state to make sure pam_systemd of previous installs can still read it. However, pam_systemd is now fixed to allocate it statically as well, so we can safely remove that some time in the future. Last but not least: If software depends on systemd, they're more than free to assume /run/user/$uid is their runtime dir. Lets not require sane applications to query the environment to get their runtime dir. As long as applications know their login-UID, they should be safe to deduce the runtime dir.
2015-09-28 12:53:42 +02:00
r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", rt, 0);
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
return r;
pam: initialize XDG_RUNTIME_DIR
2011-06-30 04:31:49 +02:00
}
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
return PAM_SUCCESS;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
}
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
/* Otherwise, we ask logind to create a session for us */
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
pam_get_item(handle, PAM_XDISPLAY, (const void**) &display);
pam_get_item(handle, PAM_TTY, (const void**) &tty);
pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
pam: check environ[] for XDG_SEAT as fallback This is useful for systems such as kmscon which want to invoke classic /sbin/login but use it on multiple seats.
2012-10-01 14:50:00 -04:00
pam_systemd: simplify how we process env vars Let's introduce a single unified getenv() implementation for the various fields we need. No change in behaviour.
2018-07-20 10:58:27 +02:00
seat = getenv_harder(handle, "XDG_SEAT", NULL);
cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
pam_systemd: also make $XDG_SESSION_DESKTOP configurable via PAM module command line Let's make this symmetric with XDG_SESSION_CLASS and XDG_SESSION_TYPE, so that PAM stacks can configure this easily without involving env vars, in case there are PAM session managers which only support a single desktop anyway.
2018-07-20 11:01:18 +02:00
desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
man: introduce new "Desktop" property for sessions This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME to recognize its own sessions. It's supposed to be set to a short string identifying the session, such as "kde" or "gnome".
2014-02-05 20:34:11 +01:00
logind: various clean-ups
2011-06-24 19:42:45 +02:00
tty = strempty(tty);
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
pam: fix up tty if it is actually a display
2011-06-24 23:51:49 +02:00
if (strchr(tty, ':')) {
pam_systemd: explain in detail why pam_systemd does the PAM item mangling it does in comments The old comments were imprecise, and misleading. Let's extend things and explain the situation in more detail.
2018-07-23 13:02:58 +02:00
/* A tty with a colon is usually an X11 display, placed there to show up in utmp. We rearrange things
* and don't pretend that an X display was a tty. */
pam: fix up tty if it is actually a display
2011-06-24 23:51:49 +02:00
if (isempty(display))
display = tty;
man: introduce new "Desktop" property for sessions This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME to recognize its own sessions. It's supposed to be set to a short string identifying the session, such as "kde" or "gnome".
2014-02-05 20:34:11 +01:00
tty = NULL;
pam_systemd: explain in detail why pam_systemd does the PAM item mangling it does in comments The old comments were imprecise, and misleading. Let's extend things and explain the situation in more detail.
2018-07-23 13:02:58 +02:00
pam-module: treat "cron" in PAM_TTY as empty tty cron sets PAM_TTY to "cron" and it has been doing it for a long time. It cannot be changed because user configurations may depend on it. https://bugzilla.redhat.com/show_bug.cgi?id=727315
2011-11-19 01:17:46 +01:00
} else if (streq(tty, "cron")) {
pam_systemd: explain in detail why pam_systemd does the PAM item mangling it does in comments The old comments were imprecise, and misleading. Let's extend things and explain the situation in more detail.
2018-07-23 13:02:58 +02:00
/* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but
* probably because it wants to set it to something as pam_time/pam_access/ require PAM_TTY to be set
* (as they otherwise even try to update it!) but cron doesn't actually allocate a TTY for its forked
* off processes.) */
pam: properly handle SSH logins lacking the PAM tty field
2012-12-23 22:31:17 +01:00
type = "unspecified";
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
class = "background";
man: introduce new "Desktop" property for sessions This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME to recognize its own sessions. It's supposed to be set to a short string identifying the session, such as "kde" or "gnome".
2014-02-05 20:34:11 +01:00
tty = NULL;
pam_systemd: explain in detail why pam_systemd does the PAM item mangling it does in comments The old comments were imprecise, and misleading. Let's extend things and explain the situation in more detail.
2018-07-23 13:02:58 +02:00
pam: properly handle SSH logins lacking the PAM tty field
2012-12-23 22:31:17 +01:00
} else if (streq(tty, "ssh")) {
pam_systemd: explain in detail why pam_systemd does the PAM item mangling it does in comments The old comments were imprecise, and misleading. Let's extend things and explain the situation in more detail.
2018-07-23 13:02:58 +02:00
/* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further
* details look for "PAM_TTY_KLUDGE" in the openssh sources). */
pam: properly handle SSH logins lacking the PAM tty field
2012-12-23 22:31:17 +01:00
type ="tty";
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
class = "user";
pam_systemd: explain in detail why pam_systemd does the PAM item mangling it does in comments The old comments were imprecise, and misleading. Let's extend things and explain the situation in more detail.
2018-07-23 13:02:58 +02:00
tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though usually
* associated with a pty won't be tracked by their tty in logind. This is because ssh
* does the PAM session registration early for new connections, and registers a pty only
* much later (this is because it doesn't know yet if it needs one at all, as whether to
* register a pty or not is negotiated much later in the protocol). */
pam_logind: skip leading /dev/ from PAM_TTY field before passing it on Apparently, PAM documents that the PAM_TTY should come with a /dev prefix, but we don't expect it so far, except that Wayland ends up setting it after all, the way the docs suggest. Hence, let's simply drop the /dev prefix if it is there. Fixes: #6516
2017-08-09 19:04:36 +02:00
} else
/* Chop off leading /dev prefix that some clients specify, but others do not. */
tty = skip_dev_prefix(tty);
pam: fix up tty if it is actually a display
2011-06-24 23:51:49 +02:00
pam: document that we don't do error checking when parsing vtnr
2012-09-21 16:17:22 +02:00
/* If this fails vtnr will be 0, that's intended */
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
if (!isempty(cvtnr))
pam_system: use (void) to silence coverity CID #996284.
2015-04-12 22:41:20 -04:00
(void) safe_atou32(cvtnr, &vtnr);
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
logind: make VT numbers unsigned Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so we don't need negative numbers at all. Note that most code already assumes it's unsigned so in case there's a negative vtnr, our code may, under special circumstances, silently break. So this patch makes sure all sources of vtnrs verify the validity. Also note that the dbus api already uses unsigned ints.
2013-11-28 17:05:34 +01:00
if (!isempty(display) && !vtnr) {
pam: work correctly if a seat is specified but not vtnr
2012-01-13 20:51:58 +01:00
if (isempty(seat))
pam_systemd: cast calls whose result we knowingly ignore to (void)
2018-07-20 11:43:38 +02:00
(void) get_seat_from_display(display, &seat, &vtnr);
pam: work correctly if a seat is specified but not vtnr
2012-01-13 20:51:58 +01:00
else if (streq(seat, "seat0"))
pam_systemd: cast calls whose result we knowingly ignore to (void)
2018-07-20 11:43:38 +02:00
(void) get_seat_from_display(display, NULL, &vtnr);
pam: work correctly if a seat is specified but not vtnr
2012-01-13 20:51:58 +01:00
}
logind: automatically deduce seat from display
2011-06-27 22:44:12 +02:00
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
if (seat && !streq(seat, "seat0") && vtnr != 0) {
Assorted format fixes Types used for pids and uids in various interfaces are unpredictable. Too bad.
2015-01-20 22:22:15 -05:00
pam_syslog(handle, LOG_DEBUG, "Ignoring vtnr %"PRIu32" for %s which is not seat0", vtnr, seat);
pam_systemd: Ignore vtnr when seat != seat0 logind considers it an error for a seat other than seat0 to have a non-zero vtnr for CreateSession
2014-01-24 11:23:01 -07:00
vtnr = 0;
}
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
if (isempty(type))
pam: properly handle SSH logins lacking the PAM tty field
2012-12-23 22:31:17 +01:00
type = !isempty(display) ? "x11" :
logind: make session type and class settable via the same ways If the session type/class is set via environment variables, use that, and otherwise fallback to something that is set via the PAM module command line.
2014-02-05 18:55:18 +01:00
!isempty(tty) ? "tty" : "unspecified";
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
login: track login class (i.e. one of "user", "greeter", "lock-screen") for each session This introduces the new PAM environment variable XDG_SESSION_CLASS. If not set, defaults to "user". This is useful for apps that want to distuingish real user logins from "fake" ones which just exist to show a gdm login screen or a lock screen.
2012-02-14 21:33:51 +01:00
if (isempty(class))
logind: introduce an explicit session class for cronjobs and similar cronjobs are neither interactive user session, nor lock screens, nor login screens, hence they should get their own class.
2013-04-09 22:18:16 +02:00
class = streq(type, "unspecified") ? "background" : "user";
login: track login class (i.e. one of "user", "greeter", "lock-screen") for each session This introduces the new PAM environment variable XDG_SESSION_CLASS. If not set, defaults to "user". This is useful for apps that want to distuingish real user logins from "fake" ones which just exist to show a gdm login screen or a lock screen.
2012-02-14 21:33:51 +01:00
util: generalize is_localhost() and use it everywhere where applicable
2014-07-02 13:41:31 +02:00
remote = !isempty(remote_host) && !is_localhost(remote_host);
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
(void) pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
(void) pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
(void) pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
(void) pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
socket: rework things to have only one sockaddr formatter
2013-11-07 00:03:54 +01:00
/* Talk to logind over the message bus */
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
r = sd_bus_open_system(&bus);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to connect to system bus: %s", strerror(-r));
return PAM_SESSION_ERR;
logind: port logind to libsystemd-bus
2013-11-05 01:10:21 +01:00
}
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
if (debug) {
pam-module: add a couple of debugging prints
2011-12-14 01:25:47 +01:00
pam_syslog(handle, LOG_DEBUG, "Asking logind to create session: "
Assorted format fixes Types used for pids and uids in various interfaces are unpredictable. Too bad.
2015-01-20 22:22:15 -05:00
"uid="UID_FMT" pid="PID_FMT" service=%s type=%s class=%s desktop=%s seat=%s vtnr=%"PRIu32" tty=%s display=%s remote=%s remote_user=%s remote_host=%s",
tree-wide: make use of getpid_cached() wherever we can This moves pretty much all uses of getpid() over to getpid_raw(). I didn't specifically check whether the optimization is worth it for each replacement, but in order to keep things simple and systematic I switched over everything at once.
2017-07-20 16:19:18 +02:00
pw->pw_uid, getpid_cached(),
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
strempty(service),
pam-module: avoid (null) in debug message
2014-02-08 12:12:20 -05:00
type, class, strempty(desktop),
man: introduce new "Desktop" property for sessions This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME to recognize its own sessions. It's supposed to be set to a short string identifying the session, such as "kde" or "gnome".
2014-02-05 20:34:11 +01:00
strempty(seat), vtnr, strempty(tty), strempty(display),
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
yes_no(remote), strempty(remote_user), strempty(remote_host));
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
pam_syslog(handle, LOG_DEBUG, "Session limits: "
"memory_max=%s tasks_max=%s cpu_weight=%s io_weight=%s",
strna(memory_max), strna(tasks_max), strna(cpu_weight), strna(io_weight));
}
r = sd_bus_message_new_method_call(
bus,
&m,
"org.freedesktop.login1",
"/org/freedesktop/login1",
"org.freedesktop.login1.Manager",
"CreateSession");
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to create CreateSession method call: %s", strerror(-r));
return PAM_SESSION_ERR;
}
r = sd_bus_message_append(m, "uusssssussbss",
(uint32_t) pw->pw_uid,
pam_systemd: support use in PID namespaces Pass 0 as leader PID to CreateSession to let logind use the PID from the D-Bus credentials. This allows use of pam_systemd in PID namespaces.
2018-08-18 09:29:43 +02:00
0,
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
service,
type,
class,
desktop,
seat,
vtnr,
tty,
display,
remote,
remote_user,
remote_host);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
return PAM_SESSION_ERR;
}
r = sd_bus_message_open_container(m, 'a', "(sv)");
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to open message container: %s", strerror(-r));
return PAM_SYSTEM_ERR;
}
r = append_session_memory_max(handle, m, memory_max);
if (r < 0)
return PAM_SESSION_ERR;
r = append_session_tasks_max(handle, m, tasks_max);
if (r < 0)
return PAM_SESSION_ERR;
r = append_session_cg_weight(handle, m, cpu_weight, "CPUWeight");
if (r < 0)
return PAM_SESSION_ERR;
r = append_session_cg_weight(handle, m, io_weight, "IOWeight");
if (r < 0)
return PAM_SESSION_ERR;
r = sd_bus_message_close_container(m);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to close message container: %s", strerror(-r));
return PAM_SYSTEM_ERR;
}
pam-module: add a couple of debugging prints
2011-12-14 01:25:47 +01:00
logind: enable limiting of user session scopes using pam context objects (#8397)
2018-04-17 16:42:44 +02:00
r = sd_bus_call(bus, m, 0, &error, &reply);
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
if (r < 0) {
logind: fail on CreateSession if already in session Right now, if you're already in a session and call CreateSession, we return information about the current session of yours. This is highy confusing and a nasty hack. Avoid that, and instead return a commonly known error, so the caller can detect that. This has the side-effect, that we no longer override XDG_VTNR and XDG_SEAT in pam_systemd, if you're already in a session. But this sounds like the right thing to do, anyway.
2015-07-07 19:38:41 +02:00
if (sd_bus_error_has_name(&error, BUS_ERROR_SESSION_BUSY)) {
pam_syslog(handle, LOG_DEBUG, "Cannot create session: %s", bus_error_message(&error, r));
return PAM_SUCCESS;
} else {
pam_syslog(handle, LOG_ERR, "Failed to create session: %s", bus_error_message(&error, r));
return PAM_SYSTEM_ERR;
}
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
}
pam: duplicate cgroup tree in the cpu hierarchy by default, optionally more
2010-11-17 20:22:07 +01:00
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
r = sd_bus_message_read(reply,
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
"soshusub",
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
&id,
&object_path,
&runtime_path,
&session_fd,
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
&original_uid,
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
&seat,
&vtnr,
&existing);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to parse message: %s", strerror(-r));
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
return PAM_SESSION_ERR;
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
}
pam: duplicate cgroup tree in the cpu hierarchy by default, optionally more
2010-11-17 20:22:07 +01:00
pam-module: add a couple of debugging prints
2011-12-14 01:25:47 +01:00
if (debug)
pam_syslog(handle, LOG_DEBUG, "Reply from logind: "
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
"id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u original_uid=%u",
id, object_path, runtime_path, session_fd, seat, vtnr, original_uid);
pam-module: add a couple of debugging prints
2011-12-14 01:25:47 +01:00
pam_systemd: simplify code which with we set environment variables Let's shorten things a bit by splitting out common code in a new function.
2018-07-20 11:27:55 +02:00
r = update_environment(handle, "XDG_SESSION_ID", id);
if (r != PAM_SUCCESS)
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
return r;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
if (original_uid == pw->pw_uid) {
/* Don't set $XDG_RUNTIME_DIR if the user we now
* authenticated for does not match the original user
* of the session. We do this in order not to result
* in privileged apps clobbering the runtime directory
* unnecessarily. */
pam_systemd: simplify code which with we set environment variables Let's shorten things a bit by splitting out common code in a new function.
2018-07-20 11:27:55 +02:00
r = update_environment(handle, "XDG_RUNTIME_DIR", runtime_path);
if (r != PAM_SUCCESS)
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
return r;
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
}
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_systemd: always set XDG_SESSION_{CLASS|TYPE|DESKTOP} We likely get the data from the env block, but we might also determine it from elsewhere (such as PAM module parameters). Let's set the env vars on the env block explicitly, so that they are available always, and apps can rely on it.
2018-07-20 11:28:37 +02:00
/* Most likely we got the session/type/class from environment variables, but might have gotten the data
* somewhere else (for example PAM module parameters). Let's now update the environment variables, so that this
* data is inherited into the session processes, and programs can rely on them to be initialized. */
r = update_environment(handle, "XDG_SESSION_TYPE", type);
if (r != PAM_SUCCESS)
return r;
r = update_environment(handle, "XDG_SESSION_CLASS", class);
if (r != PAM_SUCCESS)
return r;
r = update_environment(handle, "XDG_SESSION_DESKTOP", desktop);
if (r != PAM_SUCCESS)
return r;
pam_systemd: simplify code which with we set environment variables Let's shorten things a bit by splitting out common code in a new function.
2018-07-20 11:27:55 +02:00
r = update_environment(handle, "XDG_SEAT", seat);
if (r != PAM_SUCCESS)
return r;
pam: set XDG_SEAT and XDG_VTNR when logging in
2011-07-26 23:09:34 +02:00
if (vtnr > 0) {
pam: the DECIMAL_STR_MAX macro is awesome, let's use it
2013-11-07 16:42:36 +01:00
char buf[DECIMAL_STR_MAX(vtnr)];
pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-26 05:05:00 +01:00
sprintf(buf, "%u", vtnr);
pam: set XDG_SEAT and XDG_VTNR when logging in
2011-07-26 23:09:34 +02:00
pam_systemd: simplify code which with we set environment variables Let's shorten things a bit by splitting out common code in a new function.
2018-07-20 11:27:55 +02:00
r = update_environment(handle, "XDG_VTNR", buf);
if (r != PAM_SUCCESS)
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
return r;
pam: set XDG_SEAT and XDG_VTNR when logging in
2011-07-26 23:09:34 +02:00
}
logind: only release logind session from the PAM module if the same module instance actually created it
2012-10-16 19:21:21 +02:00
r = pam_set_data(handle, "systemd.existing", INT_TO_PTR(!!existing), NULL);
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to install existing flag.");
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
return r;
logind: only release logind session from the PAM module if the same module instance actually created it
2012-10-16 19:21:21 +02:00
}
logind: properly handle if two session with identical loginuids are attempted to be created
2011-06-24 22:55:39 +02:00
if (session_fd >= 0) {
pam_systemd: use F_DUPFD_CLOEXEC when dupping session fds http://lists.freedesktop.org/archives/systemd-devel/2014-May/019034.html
2014-05-13 16:35:34 +02:00
session_fd = fcntl(session_fd, F_DUPFD_CLOEXEC, 3);
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
if (session_fd < 0) {
pam_syslog(handle, LOG_ERR, "Failed to dup session fd: %m");
return PAM_SESSION_ERR;
}
tree-wide: make macros for converting fds to pointers and back generic and use them everywhere
2015-11-17 00:51:24 +01:00
r = pam_set_data(handle, "systemd.session-fd", FD_TO_PTR(session_fd), NULL);
logind: properly handle if two session with identical loginuids are attempted to be created
2011-06-24 22:55:39 +02:00
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to install session fd.");
util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.
2014-03-18 19:22:43 +01:00
safe_close(session_fd);
pam_systemd: dup the fd received from logind Otherwise sd_bus_message cleanup would close it.
2013-11-06 17:24:16 -05:00
return r;
logind: properly handle if two session with identical loginuids are attempted to be created
2011-06-24 22:55:39 +02:00
}
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
}
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
return PAM_SUCCESS;
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
}
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
logind: hook up PAM module with logind
2011-06-24 18:50:50 +02:00
_public_ PAM_EXTERN int pam_sm_close_session(
pam_handle_t *handle,
int flags,
int argc, const char **argv) {
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-27 19:13:45 +01:00
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
logind: rework session shutdown logic Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.
2014-02-06 18:32:14 +01:00
const void *existing = NULL;
logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.
2012-03-22 02:06:40 +01:00
const char *id;
int r;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
assert(handle);
logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.
2012-03-22 02:06:40 +01:00
logind: only release logind session from the PAM module if the same module instance actually created it
2012-10-16 19:21:21 +02:00
/* Only release session if it wasn't pre-existing when we
* tried to create it */
pam_systemd: cast calls whose result we knowingly ignore to (void)
2018-07-20 11:43:38 +02:00
(void) pam_get_data(handle, "systemd.existing", &existing);
logind: only release logind session from the PAM module if the same module instance actually created it
2012-10-16 19:21:21 +02:00
logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.
2012-03-22 02:06:40 +01:00
id = pam_getenv(handle, "XDG_SESSION_ID");
logind: only release logind session from the PAM module if the same module instance actually created it
2012-10-16 19:21:21 +02:00
if (id && !existing) {
logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.
2012-03-22 02:06:40 +01:00
/* Before we go and close the FIFO we need to tell
* logind that this is a clean session shutdown, so
* that it doesn't just go and slaughter us
* immediately after closing the fd */
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
r = sd_bus_open_system(&bus);
if (r < 0) {
logind: rework session shutdown logic Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.
2014-02-06 18:32:14 +01:00
pam_syslog(handle, LOG_ERR, "Failed to connect to system bus: %s", strerror(-r));
return PAM_SESSION_ERR;
logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.
2012-03-22 02:06:40 +01:00
}
pam_systemd: port to libsystemd-bus
2013-11-05 00:01:12 -05:00
r = sd_bus_call_method(bus,
"org.freedesktop.login1",
"/org/freedesktop/login1",
"org.freedesktop.login1.Manager",
"ReleaseSession",
&error,
NULL,
"s",
id);
if (r < 0) {
logind: rework session shutdown logic Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.
2014-02-06 18:32:14 +01:00
pam_syslog(handle, LOG_ERR, "Failed to release session: %s", bus_error_message(&error, r));
return PAM_SESSION_ERR;
logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.
2012-03-22 02:06:40 +01:00
}
}
logind: rework session shutdown logic Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.
2014-02-06 18:32:14 +01:00
/* Note that we are knowingly leaking the FIFO fd here. This
* way, logind can watch us die. If we closed it here it would
* not have any clue when that is completed. Given that one
* cannot really have multiple PAM sessions open from the same
* process this means we will leak one FD at max. */
logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.
2012-03-22 02:06:40 +01:00
logind: rework session shutdown logic Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.
2014-02-06 18:32:14 +01:00
return PAM_SUCCESS;
pam: implement systemd PAM module and generelize cgroup API for that a bit
2010-06-21 23:27:18 +02:00
}
Copy Permalink