execute: invoke sigwait() in a loop when waiting for PAM parent, to avoid spurious...

[elogind.git] / src / execute.c
diff --git a/src/execute.c b/src/execute.c

index b00ccde4d55a47bfb73a80d5681df8e4dd1add31..c69442d0ffeeda1365db6ad07c71e300140c4dd1 100644 (file)
--- a/src/execute.c
+++ b/src/execute.c
@@ -817,9 +817,6 @@ static int setup_pam(
  
          close_session = true;
  
-        if ((pam_code = pam_setcred(handle, PAM_ESTABLISH_CRED | PAM_SILENT)) != PAM_SUCCESS)
-                goto fail;
-
          if ((!(e = pam_getenvlist(handle)))) {
                  pam_code = PAM_BUF_ERR;
                  goto fail;
@@ -846,7 +843,7 @@ static int setup_pam(
  
                  /* This string must fit in 10 chars (i.e. the length
                   * of "/sbin/init") */
-                rename_process("sd:pam");
+                rename_process("sd(PAM)");
  
                  /* Make sure we don't keep open the passed fds in this
                  child. We assume that otherwise only those fds are
@@ -864,13 +861,20 @@ static int setup_pam(
                  /* Check if our parent process might already have
                   * died? */
                  if (getppid() == parent_pid) {
-                        if (sigwait(&ss, &sig) < 0)
-                                goto child_finish;
+                        for (;;) {
+                                if (sigwait(&ss, &sig) < 0) {
+                                        if (errno == EINTR)
+                                                continue;
  
-                        assert(sig == SIGTERM);
+                                        goto child_finish;
+                                }
+
+                                assert(sig == SIGTERM);
+                                break;
+                        }
                  }
  
-                /* Only if our parent died we'll end the session */
+                /* If our parent died we'll end the session */
                  if (getppid() != parent_pid)
                          if ((pam_code = pam_close_session(handle, PAM_DATA_SILENT)) != PAM_SUCCESS)
                                  goto child_finish;
@@ -886,7 +890,7 @@ static int setup_pam(
           * cleanups, so forget about the handle here. */
          handle = NULL;
  
-        /* Unblock SIGSUR1 again in the parent */
+        /* Unblock SIGTERM again in the parent */
          if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0)
                  goto fail;
  
@@ -1246,16 +1250,14 @@ int exec_spawn(ExecCommand *command,
                                          r = EXIT_STDIN;
                                          goto fail_child;
                                  }
-                }
  
-#ifdef HAVE_PAM
-                if (context->pam_name && username) {
-                        if (setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds) < 0) {
-                                r = EXIT_PAM;
-                                goto fail_child;
-                        }
+                        if (cgroup_bondings && context->control_group_modify)
+                                if (cgroup_bonding_set_group_access_list(cgroup_bondings, 0755, uid, gid) < 0 ||
+                                    cgroup_bonding_set_task_access_list(cgroup_bondings, 0644, uid, gid) < 0) {
+                                        r = EXIT_CGROUP;
+                                        goto fail_child;
+                                }
                  }
-#endif
  
                  if (apply_permissions)
                          if (enforce_groups(context, username, uid) < 0) {
@@ -1265,6 +1267,15 @@ int exec_spawn(ExecCommand *command,
  
                  umask(context->umask);
  
+#ifdef HAVE_PAM
+                if (context->pam_name && username) {
+                        if (setup_pam(context->pam_name, username, context->tty_path, &pam_env, fds, n_fds) < 0) {
+                                r = EXIT_PAM;
+                                goto fail_child;
+                        }
+                }
+#endif
+
                  if (strv_length(context->read_write_dirs) > 0 ||
                      strv_length(context->read_only_dirs) > 0 ||
                      strv_length(context->inaccessible_dirs) > 0 ||
@@ -1649,12 +1660,14 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                  "%sWorkingDirectory: %s\n"
                  "%sRootDirectory: %s\n"
                  "%sNonBlocking: %s\n"
-                "%sPrivateTmp: %s\n",
+                "%sPrivateTmp: %s\n"
+                "%sControlGroupModify: %s\n",
                  prefix, c->umask,
                  prefix, c->working_directory ? c->working_directory : "/",
                  prefix, c->root_directory ? c->root_directory : "/",
                  prefix, yes_no(c->non_blocking),
-                prefix, yes_no(c->private_tmp));
+                prefix, yes_no(c->private_tmp),
+                prefix, yes_no(c->control_group_modify));
  
          STRV_FOREACH(e, c->environment)
                  fprintf(f, "%sEnvironment: %s\n", prefix, *e);