X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fpam-module.c;h=387b77ed56fc0dbae8f6b7752d0f0054027841ef;hp=1441987fdc39e7c944f167d383b2027448612d0b;hb=97e3d13fb4d28e25803f1a6543ae2051b5fcff1d;hpb=c6c18be35bb1d300d0b62a568783cc1c477f7151

diff --git a/src/pam-module.c b/src/pam-module.c
index 1441987fd..387b77ed5 100644
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -1,4 +1,4 @@
-/*-*- Mode: C; c-basic-offset: 8 -*-*/
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
 
 /***
   This file is part of systemd.
@@ -31,8 +31,6 @@
 #include <security/pam_ext.h>
 #include <security/pam_misc.h>
 
-#include <libcgroup.h>
-
 #include "util.h"
 #include "cgroup-util.h"
 #include "macro.h"
@@ -210,7 +208,7 @@ static int get_user_data(
         return PAM_SUCCESS;
 }
 
-static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach) {
+static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach, bool remember) {
         int r;
 
         assert(handle);
@@ -226,6 +224,17 @@ static int create_user_group(pam_handle_t *handle, const char *group, struct pas
                 return PAM_SESSION_ERR;
         }
 
+        if (r > 0 && remember) {
+                /* Remember that it was us who created this group, and
+                 * that hence we need to remove it too. This is a
+                 * protection against removing the cgroup when run
+                 * recursively. */
+                if ((r = pam_set_data(handle, "systemd.created", INT_TO_PTR(1), NULL)) != PAM_SUCCESS) {
+                        pam_syslog(handle, LOG_ERR, "Failed to install created variable.");
+                        return r;
+                }
+        }
+
         if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 ||
             (r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) {
                 pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r));
@@ -249,7 +258,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
 
         assert(handle);
 
-        pam_syslog(handle, LOG_INFO, "pam-systemd initializing");
+        /* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */
 
         if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0)
                 return PAM_SESSION_ERR;
@@ -258,12 +267,6 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         if (sd_booted() <= 0)
                 return PAM_SUCCESS;
 
-        if ((r = cg_init()) < 0) {
-                pam_syslog(handle, LOG_ERR, "libcgroup initialization failed: %s", strerror(-r));
-                r = PAM_SESSION_ERR;
-                goto finish;
-        }
-
         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
                 goto finish;
 
@@ -339,7 +342,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                 goto finish;
         }
 
-        if ((r = create_user_group(handle, buf, pw, true)) != PAM_SUCCESS)
+        pam_syslog(handle, LOG_INFO, "Moving new user session for %s into control group %s.", username, buf);
+
+        if ((r = create_user_group(handle, buf, pw, true, true)) != PAM_SUCCESS)
                 goto finish;
 
         r = PAM_SUCCESS;
@@ -354,44 +359,29 @@ finish:
 }
 
 static int session_remains(pam_handle_t *handle, const char *user_path) {
-        struct cgroup_file_info info;
-        int level = 0, r;
-        void *iterator = NULL;
+        int r;
         bool remains = false;
+        DIR *d;
+        char *subgroup;
 
-        zero(info);
-
-        r = cgroup_walk_tree_begin(SYSTEMD_CGROUP_CONTROLLER, user_path, 0, &iterator, &info, &level);
-        while (r == 0) {
-
-                if (info.type != CGROUP_FILE_TYPE_DIR)
-                        goto next;
-
-                if (streq(info.path, ""))
-                        goto next;
-
-                if (streq(info.path, "no-session"))
-                        goto next;
+        if ((r = cg_enumerate_subgroups(SYSTEMD_CGROUP_CONTROLLER, user_path, &d)) < 0)
+                return r;
 
-                remains = true;
-                break;
+        while ((r = cg_read_subgroup(d, &subgroup)) > 0) {
 
-        next:
+                remains = !streq(subgroup, "no-session");
+                free(subgroup);
 
-                r = cgroup_walk_tree_next(0, &iterator, &info, level);
+                if (remains)
+                        break;
         }
 
+        closedir(d);
 
-        if (remains)
-                r = 1;
-        else if (r == 0 || r == ECGEOF)
-                r = 0;
-        else
-                r = cg_translate_error(r, errno);
-
-        assert_se(cgroup_walk_tree_end(&iterator) == 0);
+        if (r < 0)
+                return r;
 
-        return r;
+        return !!remains;
 }
 
 _public_ PAM_EXTERN int pam_sm_close_session(
@@ -406,6 +396,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
         const char *id;
         struct passwd *pw;
+        const void *created = NULL;
 
         assert(handle);
 
@@ -425,12 +416,18 @@ _public_ PAM_EXTERN int pam_sm_close_session(
                 goto finish;
         }
 
+        /* We are probably still in some session/no-session dir. Move ourselves out of the way as first step */
+        if ((r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, "/user", 0)) < 0)
+                pam_syslog(handle, LOG_ERR, "Failed to move us away: %s", strerror(-r));
+
         if (asprintf(&user_path, "/user/%s", username) < 0) {
                 r = PAM_BUF_ERR;
                 goto finish;
         }
 
-        if ((id = pam_getenv(handle, "XDG_SESSION_ID"))) {
+        pam_get_data(handle, "systemd.created", &created);
+
+        if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) {
 
                 if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 ||
                     asprintf(&nosession_path, "/user/%s/no-session", username) < 0) {
@@ -439,28 +436,23 @@ _public_ PAM_EXTERN int pam_sm_close_session(
                 }
 
                 if (kill_session)  {
-                        /* Kill processes in session cgroup */
-                        if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path)) < 0)
+                        pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
+
+                        /* Kill processes in session cgroup, and delete it */
+                        if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0)
                                 pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r));
+                } else {
+                        pam_syslog(handle, LOG_INFO, "Moving remaining processes of user session %s of %s into control group %s.", id, username, nosession_path);
 
-                } else  {
                         /* Migrate processes from session to
                          * no-session cgroup. First, try to create the
                          * no-session group in case it doesn't exist
-                         * yet. */
-                        create_user_group(handle, nosession_path, pw, 0);
+                         * yet. Also, delete the session group. */
+                        create_user_group(handle, nosession_path, pw, false, false);
 
-                        if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false)) < 0)
+                        if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0)
                                 pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r));
                 }
-
-                /* Delete session cgroup */
-                if (r < 0)
-                        pam_syslog(handle, LOG_INFO, "Couldn't empty session cgroup, not deleting.");
-                else {
-                        if ((r = cg_delete(SYSTEMD_CGROUP_CONTROLLER, session_path)) < 0)
-                                pam_syslog(handle, LOG_ERR, "Failed to delete session cgroup: %s", strerror(-r));
-                }
         }
 
         /* GC user tree */
@@ -473,32 +465,33 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         if (kill_user && r == 0) {
 
                 /* Kill no-session cgroup */
-                if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path)) < 0)
+                if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
                         pam_syslog(handle, LOG_ERR, "Failed to kill user cgroup: %s", strerror(-r));
         } else {
 
                 if ((r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
                         pam_syslog(handle, LOG_ERR, "Failed to check user cgroup: %s", strerror(-r));
 
-                /* If we managed to kill somebody, don't cleanup the cgroup. */
-                if (r == 0)
+                /* Remove user cgroup */
+                if (r > 0) {
+                        if ((r = cg_delete(SYSTEMD_CGROUP_CONTROLLER, user_path)) < 0)
+                                pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r));
+
+                /* If we managed to find somebody, don't cleanup the cgroup. */
+                } else if (r == 0)
                         r = -EBUSY;
         }
 
         if (r >= 0) {
                 const char *runtime_dir;
 
-                /* Remove user cgroup */
-                if ((r = cg_delete(SYSTEMD_CGROUP_CONTROLLER, user_path)) < 0)
-                        pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r));
-
-                /* This will migrate us to the /user cgroup. */
-
                 if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR")))
                         if ((r = rm_rf(runtime_dir, false, true)) < 0)
                                 pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r));
         }
 
+        /* pam_syslog(handle, LOG_DEBUG, "pam-systemd done"); */
+
         r = PAM_SUCCESS;
 
 finish: