service: make chain of main commands and control commands independent of each other...

[elogind.git] / src / pam-module.c

diff --git a/src/pam-module.c b/src/pam-module.c
index 6fbaecf51d83543e3a1ce7c945435ae71e1b055e..52507a4cbdb94b0a0516be3e277450c7b36ccf1a 100644 (file)
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle,
                       bool *create_session,
                       bool *kill_session,
                       bool *kill_user,
+                      bool *keep_root,
                       char ***controllers) {
 
         unsigned i;
@@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle,
                         if (kill_user)
                                 *kill_user = k;
 
+                } else if (startswith(argv[i], "keep-root=")) {
+                        if ((k = parse_boolean(argv[i] + 10)) < 0) {
+                                pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument.");
+                                return k;
+                        }
+
+                        if (keep_root)
+                                *keep_root = k;
+
                 } else if (startswith(argv[i], "controllers=")) {
 
                         if (controllers) {
@@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         if (sd_booted() <= 0)
                 return PAM_SUCCESS;
 
-        if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0)
+        if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0)
                 return PAM_SESSION_ERR;
 
         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         const char *username = NULL;
         bool kill_session = false;
         bool kill_user = false;
+        bool keep_root = true;
         int lock_fd = -1, r;
         char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
         const char *id;
@@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         if (sd_booted() <= 0)
                 return PAM_SUCCESS;
 
-        if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0)
+        if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0)
                 return PAM_SESSION_ERR;
 
         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
                         goto finish;
                 }
 
-                if (kill_session)  {
+                if (kill_session && (pw->pw_uid != 0 || !keep_root))  {
                         pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
 
                         /* Kill processes in session cgroup, and delete it */
@@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
                 pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
 
         /* Kill user processes not attached to any session */
-        if (kill_user && r == 0) {
+        if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) {
 
                 /* Kill user cgroup */
                 if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)