1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00

Merge pull request #15864 from poettering/pam-sudo-fixes-part3

two more pam_systemd fixes, split out of #15742
This commit is contained in:
Anita Zhang 2020-05-20 15:01:52 -07:00 committed by GitHub
commit 30ed6e2250
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 68 additions and 11 deletions

View File

@ -73,7 +73,12 @@
the re-authentication must take place from a component running outside of the user's context, so that
it does not require access to the user's home directory for operation. Traditionally, most desktop
environments do not implement screen locking this way, and need to be updated
accordingly.</para></listitem>
accordingly.</para>
<para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname>
environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets
for sessions. If both the environment variable is set and the module parameter specified the latter
takes precedence.</para></listitem>
</varlistentry>
<varlistentry>
@ -105,6 +110,15 @@
<listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term>
<listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled
or disabled (see above). The variable's value is either <literal>0</literal> or
<literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for
sessions.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -60,6 +60,35 @@ static int parse_argv(
return 0;
}
static int parse_env(
pam_handle_t *handle,
bool *please_suspend) {
const char *v;
int r;
/* Let's read the suspend setting from an env var in addition to the PAM command line. That makes it
* easy to declare the features of a display manager in code rather than configuration, and this is
* really a feature of code */
v = pam_getenv(handle, "SYSTEMD_HOME_SUSPEND");
if (!v) {
/* Also check the process env block, so that people can control this via an env var from the
* outside of our process. */
v = secure_getenv("SYSTEMD_HOME_SUSPEND");
if (!v)
return 0;
}
r = parse_boolean(v);
if (r < 0)
pam_syslog(handle, LOG_WARNING, "Failed to parse $SYSTEMD_HOME_SUSPEND argument, ignoring: %s", v);
else if (please_suspend)
*please_suspend = r;
return 0;
}
static int acquire_user_record(
pam_handle_t *handle,
const char *username,
@ -636,6 +665,9 @@ _public_ PAM_EXTERN int pam_sm_authenticate(
bool debug = false, suspend_please = false;
if (parse_env(handle, &suspend_please) < 0)
return PAM_AUTH_ERR;
if (parse_argv(handle,
argc, argv,
&suspend_please,
@ -660,6 +692,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
bool debug = false, suspend_please = false;
int r;
if (parse_env(handle, &suspend_please) < 0)
return PAM_SESSION_ERR;
if (parse_argv(handle,
argc, argv,
&suspend_please,
@ -681,6 +716,12 @@ _public_ PAM_EXTERN int pam_sm_open_session(
return r;
}
r = pam_putenv(handle, suspend_please ? "SYSTEMD_HOME_SUSPEND=1" : "SYSTEMD_HOME_SUSPEND=0");
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to set PAM environment variable $SYSTEMD_HOME_SUSPEND: %s", pam_strerror(handle, r));
return r;
}
/* Let's release the D-Bus connection, after all the session might live quite a long time, and we are
* not going to process the bus connection in that time, so let's better close before the daemon
* kicks us off because we are not processing anything. */
@ -764,6 +805,9 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt(
usec_t t;
int r;
if (parse_env(handle, &please_suspend) < 0)
return PAM_AUTH_ERR;
if (parse_argv(handle,
argc, argv,
&please_suspend,

View File

@ -647,10 +647,6 @@ _public_ PAM_EXTERN int pam_sm_open_session(
assert(handle);
/* Make this a NOP on non-logind systems */
if (!logind_running())
return PAM_SUCCESS;
if (parse_argv(handle,
argc, argv,
&class_pam,
@ -666,6 +662,10 @@ _public_ PAM_EXTERN int pam_sm_open_session(
if (r != PAM_SUCCESS)
return r;
/* Make most of this a NOP on non-logind systems */
if (!logind_running())
goto success;
/* Make sure we don't enter a loop by talking to
* systemd-logind when it is actually waiting for the
* background to finish start-up. If the service is
@ -689,11 +689,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
if (r != PAM_SUCCESS)
return r;
r = apply_user_record_settings(handle, ur, debug);
if (r != PAM_SUCCESS)
return r;
return PAM_SUCCESS;
goto success;
}
/* Otherwise, we ask logind to create a session for us */
@ -847,7 +843,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
if (sd_bus_error_has_name(&error, BUS_ERROR_SESSION_BUSY)) {
if (debug)
pam_syslog(handle, LOG_DEBUG, "Not creating session: %s", bus_error_message(&error, r));
return PAM_SUCCESS;
/* We are already in a session, don't do anything */
goto success;
} else {
pam_syslog(handle, LOG_ERR, "Failed to create session: %s", bus_error_message(&error, r));
return PAM_SESSION_ERR;
@ -944,6 +942,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
}
}
success:
r = apply_user_record_settings(handle, ur, debug);
if (r != PAM_SUCCESS)
return r;