path: optionally, create watched directories in .path units

[elogind.git] / src / pam-module.c

diff --git a/src/pam-module.c b/src/pam-module.c
index 7f915847052b061dd0de370aad67b615dbf36532..6486546e6dea0a5fddab5976424eb06bed8cac08 100644 (file)
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -198,8 +198,10 @@ static int open_file_and_lock(const char *fn) {
          * as the filesystems in question should be local, and only
          * locally accessible, and most likely even tmpfs. */
 
-        if (flock(fd, LOCK_EX) < 0)
+        if (flock(fd, LOCK_EX) < 0) {
+                close_nointr_nofail(fd);
                 return -errno;
+        }
 
         return fd;
 }
@@ -237,11 +239,10 @@ static uint64_t get_session_id(int *mode) {
                 ssize_t r;
 
                 /* We do a bit of endianess swapping here, just to be
-                 * sure. /var should be machine specific anyway, and
-                 * /var/run even mounted from tmpfs, so this
-                 * byteswapping should really not be necessary. But
-                 * then again, you never know, so let's avoid any
-                 * risk. */
+                 * sure. /run should be machine specific anyway, and
+                 * even mounted from tmpfs, so this byteswapping
+                 * should really not be necessary. But then again, you
+                 * never know, so let's avoid any risk. */
 
                 if (loop_read(fd, &counter, sizeof(counter), false) != sizeof(counter))
                         counter = 1;
@@ -271,6 +272,7 @@ static uint64_t get_session_id(int *mode) {
         /* Last attempt, pick a random value */
         return (uint64_t) random_ull();
 }
+
 static int get_user_data(
                 pam_handle_t *handle,
                 const char **ret_username,
@@ -394,6 +396,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         int lock_fd = -1;
         bool create_session = true;
         char **controllers = NULL, **reset_controllers = NULL, **c;
+        char *cgroup_user_tree = NULL;
 
         assert(handle);
 
@@ -413,6 +416,12 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
                 goto finish;
 
+        if ((r = cg_get_user_path(&cgroup_user_tree)) < 0) {
+                pam_syslog(handle, LOG_ERR, "Failed to determine user cgroup tree: %s", strerror(-r));
+                r = PAM_SYSTEM_ERR;
+                goto finish;
+        }
+
         if (safe_mkdir(RUNTIME_DIR "/user", 0755, 0, 0) < 0) {
                 pam_syslog(handle, LOG_ERR, "Failed to create runtime directory: %m");
                 r = PAM_SYSTEM_ERR;
@@ -425,7 +434,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                 goto finish;
         }
 
-        /* Create /var/run/$USER */
+        /* Create /run/user/$USER */
         free(buf);
         if (asprintf(&buf, RUNTIME_DIR "/user/%s", username) < 0) {
                 r = PAM_BUF_ERR;
@@ -476,9 +485,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                         }
                 }
 
-                r = asprintf(&buf, "/user/%s/%s", username, id);
+                r = asprintf(&buf, "%s/%s/%s", cgroup_user_tree, username, id);
         } else
-                r = asprintf(&buf, "/user/%s/master", username);
+                r = asprintf(&buf, "%s/%s/master", cgroup_user_tree, username);
 
         if (r < 0) {
                 r = PAM_BUF_ERR;
@@ -509,6 +518,8 @@ finish:
         strv_free(controllers);
         strv_free(reset_controllers);
 
+        free(cgroup_user_tree);
+
         return r;
 }
 
@@ -600,6 +611,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         struct passwd *pw;
         const void *created = NULL;
         char **controllers = NULL, **c, **kill_only_users = NULL, **kill_exclude_users = NULL;
+        char *cgroup_user_tree = NULL;
 
         assert(handle);
 
@@ -617,6 +629,12 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
                 goto finish;
 
+        if ((r = cg_get_user_path(&cgroup_user_tree)) < 0) {
+                pam_syslog(handle, LOG_ERR, "Failed to determine user cgroup tree: %s", strerror(-r));
+                r = PAM_SYSTEM_ERR;
+                goto finish;
+        }
+
         if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
                 pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
                 r = PAM_SYSTEM_ERR;
@@ -624,14 +642,14 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         }
 
         /* We are probably still in some session/user dir. Move ourselves out of the way as first step */
-        if ((r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, "/user", 0)) < 0)
+        if ((r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, cgroup_user_tree, 0)) < 0)
                 pam_syslog(handle, LOG_ERR, "Failed to move us away: %s", strerror(-r));
 
         STRV_FOREACH(c, controllers)
-                if ((r = cg_attach(*c, "/user", 0)) < 0)
+                if ((r = cg_attach(*c, cgroup_user_tree, 0)) < 0)
                         pam_syslog(handle, LOG_ERR, "Failed to move us away in %s hierarchy: %s", *c, strerror(-r));
 
-        if (asprintf(&user_path, "/user/%s", username) < 0) {
+        if (asprintf(&user_path, "%s/%s", cgroup_user_tree, username) < 0) {
                 r = PAM_BUF_ERR;
                 goto finish;
         }
@@ -640,8 +658,8 @@ _public_ PAM_EXTERN int pam_sm_close_session(
 
         if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) {
 
-                if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 ||
-                    asprintf(&nosession_path, "/user/%s/master", username) < 0) {
+                if (asprintf(&session_path, "%s/%s/%s", cgroup_user_tree, username, id) < 0 ||
+                    asprintf(&nosession_path, "%s/%s/master", cgroup_user_tree, username) < 0) {
                         r = PAM_BUF_ERR;
                         goto finish;
                 }
@@ -727,5 +745,7 @@ finish:
         strv_free(kill_exclude_users);
         strv_free(kill_only_users);
 
+        free(cgroup_user_tree);
+
         return r;
 }