const char *username = NULL;
struct passwd *pw = NULL;
+ uid_t uid;
int r;
- bool have_loginuid = false;
- char *s;
assert(handle);
assert(ret_username);
assert(ret_pw);
- if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) {
- /* Only use audit login uid if we are executed with
- * sufficient capabilities so that pam_loginuid could
- * do its job. If we are lacking the CAP_AUDIT_CONTROL
- * capabality we most likely are being run in a
- * container and /proc/self/loginuid is useless since
- * it probably contains a uid of the host system. */
-
- if (read_one_line_file("/proc/self/loginuid", &s) >= 0) {
- uint32_t u;
-
- r = safe_atou32(s, &u);
- free(s);
-
- if (r >= 0 && u != (uint32_t) -1 && u > 0) {
- have_loginuid = true;
- pw = pam_modutil_getpwuid(handle, u);
- }
- }
- }
-
- if (!have_loginuid) {
- if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) {
+ r = audit_loginuid_from_pid(0, &uid);
+ if (r >= 0)
+ pw = pam_modutil_getpwuid(handle, uid);
+ else {
+ r = pam_get_user(handle, &username, NULL);
+ if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to get user name.");
return r;
}
- if (!username || !*username) {
+ if (isempty(username)) {
pam_syslog(handle, LOG_ERR, "User name not valid.");
return PAM_AUTH_ERR;
}
}
STRV_FOREACH(l, kill_exclude_users) {
- uint32_t id;
+ uid_t u;
- if (safe_atou32(*l, &id) >= 0)
- if ((uid_t) id == uid)
+ if (parse_uid(*l, &u) >= 0)
+ if (u == uid)
return false;
if (name && streq(name, *l))
return true;
STRV_FOREACH(l, kill_only_users) {
- uint32_t id;
+ uid_t u;
- if (safe_atou32(*l, &id) >= 0)
- if ((uid_t) id == uid)
+ if (parse_uid(*l, &u) >= 0)
+ if (u == uid)
return true;
if (name && streq(name, *l))
if (sd_booted() <= 0)
return PAM_SUCCESS;
- /* Make sure we don't enter a loop by talking to
- * systemd-logind when it is actually waiting for the
- * background to finish start-up, */
- pam_get_item(handle, PAM_SERVICE, (const void**) &service);
- if (streq_ptr(service, "systemd-shared"))
- return PAM_SUCCESS;
-
if (parse_argv(handle,
argc, argv,
&controllers, &reset_controllers,
if (r != PAM_SUCCESS)
goto finish;
+ /* Make sure we don't enter a loop by talking to
+ * systemd-logind when it is actually waiting for the
+ * background to finish start-up. If the service is
+ * "systemd-shared" we simply set XDG_RUNTIME_DIR and
+ * leave. */
+
+ pam_get_item(handle, PAM_SERVICE, (const void**) &service);
+ if (streq_ptr(service, "systemd-shared")) {
+ char *p, *rt = NULL;
+
+ if (asprintf(&p, "/run/systemd/users/%lu", (unsigned long) pw->pw_uid) < 0) {
+ r = PAM_BUF_ERR;
+ goto finish;
+ }
+
+ r = parse_env_file(p, NEWLINE,
+ "RUNTIME", &rt,
+ NULL);
+ free(p);
+
+ if (r < 0 && r != -ENOENT) {
+ r = PAM_SESSION_ERR;
+ free(rt);
+ goto finish;
+ }
+
+ if (rt) {
+ r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", rt, 0);
+ free(rt);
+
+ if (r != PAM_SUCCESS) {
+ pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
+ goto finish;
+ }
+ }
+
+ r = PAM_SUCCESS;
+ goto finish;
+ }
+
if (kill_processes)
kill_processes = check_user_lists(handle, pw->pw_uid, kill_only_users, kill_exclude_users);
pam_get_item(handle, PAM_TTY, (const void**) &tty);
pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
- seat = pam_getenv(handle, "LOGIN_SEAT");
- cvtnr = pam_getenv(handle, "LOGIN_VTNR");
+ seat = pam_getenv(handle, "XDG_SEAT");
+ cvtnr = pam_getenv(handle, "XDG_VTNR");
service = strempty(service);
tty = strempty(tty);
if (isempty(display))
display = tty;
tty = "";
+ } else if (streq(tty, "cron")) {
+ /* cron has been setting PAM_TTY to "cron" for a very long time
+ * and it cannot stop doing that for compatibility reasons. */
+ tty = "";
}
if (!isempty(cvtnr))
get_seat_from_display(display, &seat, &vtnr);
type = !isempty(display) ? "x11" :
- !isempty(tty) ? "tty" : "other";
+ !isempty(tty) ? "tty" : "unspecified";
remote = !isempty(remote_host) && !streq(remote_host, "localhost") && !streq(remote_host, "localhost.localdomain");
goto finish;
}
+ if (debug)
+ pam_syslog(handle, LOG_DEBUG, "Asking logind to create session: "
+ "uid=%u pid=%u service=%s type=%s seat=%s vtnr=%u tty=%s display=%s remote=%s remote_user=%s remote_host=%s",
+ uid, pid, service, type, seat, vtnr, tty, display, yes_no(remote), remote_user, remote_host);
+
reply = dbus_connection_send_with_reply_and_block(bus, m, -1, &error);
if (!reply) {
pam_syslog(handle, LOG_ERR, "Failed to create session: %s", bus_error_message(&error));
DBUS_TYPE_OBJECT_PATH, &object_path,
DBUS_TYPE_STRING, &runtime_path,
DBUS_TYPE_UNIX_FD, &session_fd,
+ DBUS_TYPE_STRING, &seat,
+ DBUS_TYPE_UINT32, &vtnr,
DBUS_TYPE_INVALID)) {
pam_syslog(handle, LOG_ERR, "Failed to parse message: %s", bus_error_message(&error));
r = PAM_SESSION_ERR;
goto finish;
}
+ if (debug)
+ pam_syslog(handle, LOG_DEBUG, "Reply from logind: "
+ "id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u",
+ id, object_path, runtime_path, session_fd, seat, vtnr);
+
r = pam_misc_setenv(handle, "XDG_SESSION_ID", id, 0);
if (r != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to set session id.");
goto finish;
}
+ if (!isempty(seat)) {
+ r = pam_misc_setenv(handle, "XDG_SEAT", seat, 0);
+ if (r != PAM_SUCCESS) {
+ pam_syslog(handle, LOG_ERR, "Failed to set seat.");
+ goto finish;
+ }
+ }
+
+ if (vtnr > 0) {
+ char buf[11];
+ snprintf(buf, sizeof(buf), "%u", vtnr);
+ char_array_0(buf);
+
+ r = pam_misc_setenv(handle, "XDG_VTNR", buf, 0);
+ if (r != PAM_SUCCESS) {
+ pam_syslog(handle, LOG_ERR, "Failed to set virtual terminal number.");
+ goto finish;
+ }
+ }
+
if (session_fd >= 0) {
r = pam_set_data(handle, "systemd.session-fd", INT_TO_PTR(session_fd+1), NULL);
if (r != PAM_SUCCESS) {