From 3add4d215b30c746ee617d7412ee007ed3c87249 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 18 Jan 2011 23:07:06 +0100 Subject: [PATCH] pam: optionally keep processes of root user around --- TODO | 2 -- man/pam_systemd.xml | 17 ++++++++++++++++- src/pam-module.c | 19 +++++++++++++++---- 3 files changed, 31 insertions(+), 7 deletions(-) diff --git a/TODO b/TODO index 61a8cfcdd..48f4628ab 100644 --- a/TODO +++ b/TODO @@ -4,8 +4,6 @@ * figure out what happened to bluez patch -* in pam_systemd: add option to kill normal user sessions on logout but only those with uid != 0 - * introduce StandardOutput=syslog+console and StandardOutput=kmsg+console to support fsck output at boot * Patch systemd-fsck to use -C and pass console fd to it diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index cd806da93..eddd8e003 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -201,6 +201,20 @@ logout. + + + + Takes a boolean + argument. If true, all processes + created by the root user (UID 0) during his + session and from his session will be + kept around after he logged out. This + option allows cancelling the effect of + and + for the + root user. + + @@ -230,7 +244,8 @@ If the options are omitted they default to , , - . + , + . diff --git a/src/pam-module.c b/src/pam-module.c index 6fbaecf51..52507a4cb 100644 --- a/src/pam-module.c +++ b/src/pam-module.c @@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle, bool *create_session, bool *kill_session, bool *kill_user, + bool *keep_root, char ***controllers) { unsigned i; @@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle, if (kill_user) *kill_user = k; + } else if (startswith(argv[i], "keep-root=")) { + if ((k = parse_boolean(argv[i] + 10)) < 0) { + pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument."); + return k; + } + + if (keep_root) + *keep_root = k; + } else if (startswith(argv[i], "controllers=")) { if (controllers) { @@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session( if (sd_booted() <= 0) return PAM_SUCCESS; - if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0) + if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0) return PAM_SESSION_ERR; if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS) @@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( const char *username = NULL; bool kill_session = false; bool kill_user = false; + bool keep_root = true; int lock_fd = -1, r; char *session_path = NULL, *nosession_path = NULL, *user_path = NULL; const char *id; @@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( if (sd_booted() <= 0) return PAM_SUCCESS; - if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0) + if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0) return PAM_SESSION_ERR; if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS) @@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( goto finish; } - if (kill_session) { + if (kill_session && (pw->pw_uid != 0 || !keep_root)) { pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username); /* Kill processes in session cgroup, and delete it */ @@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r)); /* Kill user processes not attached to any session */ - if (kill_user && r == 0) { + if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) { /* Kill user cgroup */ if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0) -- 2.30.2