src/pam-module.c

   1 /*-*- Mode: C; c-basic-offset: 8 -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2010 Lennart Poettering
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU General Public License as published by
  10   the Free Software Foundation; either version 2 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   General Public License for more details.
  17
  18   You should have received a copy of the GNU General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include <errno.h>
  23 #include <fcntl.h>
  24 #include <sys/file.h>
  25 #include <pwd.h>
  26
  27 #include <security/pam_modules.h>
  28 #include <security/_pam_macros.h>
  29 #include <security/pam_modutil.h>
  30 #include <security/pam_ext.h>
  31 #include <security/pam_misc.h>
  32
  33 #include <libcgroup.h>
  34
  35 #include "util.h"
  36 #include "cgroup-util.h"
  37 #include "macro.h"
  38 #include "sd-daemon.h"
  39
  40 static int parse_argv(pam_handle_t *handle,
  41                       int argc, const char **argv,
  42                       bool *create_session,
  43                       bool *kill_session,
  44                       bool *kill_user) {
  45
  46         unsigned i;
  47
  48         assert(argc >= 0);
  49         assert(argc == 0 || argv);
  50
  51         for (i = 0; i < (unsigned) argc; i++) {
  52                 int k;
  53
  54                 if (startswith(argv[i], "create-session=")) {
  55                         if ((k = parse_boolean(argv[i] + 15)) < 0) {
  56                                 pam_syslog(handle, LOG_ERR, "Failed to parse create-session= argument.");
  57                                 return k;
  58                         }
  59
  60                         if (create_session)
  61                                 *create_session = k;
  62                 } else if (startswith(argv[i], "kill-session=")) {
  63                         if ((k = parse_boolean(argv[i] + 13)) < 0) {
  64                                 pam_syslog(handle, LOG_ERR, "Failed to parse kill-session= argument.");
  65                                 return k;
  66                         }
  67
  68                         if (kill_session)
  69                                 *kill_session = k;
  70
  71                 } else if (startswith(argv[i], "kill-user=")) {
  72                         if ((k = parse_boolean(argv[i] + 10)) < 0) {
  73                                 pam_syslog(handle, LOG_ERR, "Failed to parse kill-user= argument.");
  74                                 return k;
  75                         }
  76
  77                         if (kill_user)
  78                                 *kill_user = k;
  79                 } else {
  80                         pam_syslog(handle, LOG_ERR, "Unknown parameter '%s'.", argv[i]);
  81                         return -EINVAL;
  82                 }
  83         }
  84
  85         if (kill_session && *kill_session && kill_user)
  86                 *kill_user = true;
  87
  88         return 0;
  89 }
  90
  91 static int open_file_and_lock(const char *fn) {
  92         int fd;
  93
  94         assert(fn);
  95
  96         if ((fd = open(fn, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_CREAT, 0600)) < 0)
  97                 return -errno;
  98
  99         if (flock(fd, LOCK_EX) < 0)
 100                 return -errno;
 101
 102         return fd;
 103 }
 104
 105 static uint32_t combine32(unsigned long long u) {
 106         uint32_t r = 0;
 107         unsigned i;
 108
 109         for (i = 0; i < sizeof(u)/4; i ++)
 110                 r ^= (uint32_t) ((u >> (i*32)) & 0xFFFFFFFFULL);
 111
 112         return r;
 113 }
 114
 115 static char *generate_session_cookie(void) {
 116         char *machine;
 117         char *cookie;
 118         unsigned long long r;
 119         usec_t u;
 120         int k;
 121
 122         if (getmachineid_malloc(&machine) < 0)
 123                 if (!(machine = gethostname_malloc()))
 124                         return NULL;
 125
 126         r = random_ull();
 127         u = now(CLOCK_REALTIME);
 128
 129         k = asprintf(&cookie, "%s-%lu-%lu",
 130                      machine,
 131                      (unsigned long) combine32(r),
 132                      (unsigned long) combine32((unsigned long long) u));
 133         free(machine);
 134
 135         return k < 0 ? NULL : cookie;
 136 }
 137
 138 static int get_user_data(
 139                 pam_handle_t *handle,
 140                 const char **ret_username,
 141                 struct passwd **ret_pw) {
 142
 143         const char *username;
 144         struct passwd *pw;
 145         int r;
 146
 147         assert(handle);
 148         assert(ret_username);
 149         assert(ret_pw);
 150
 151         if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) {
 152                 pam_syslog(handle, LOG_ERR, "Failed to get user name.");
 153                 return r;
 154         }
 155
 156         if (!username || !*username) {
 157                 pam_syslog(handle, LOG_ERR, "User name not valid.");
 158                 return PAM_AUTH_ERR;
 159         }
 160
 161         if (!(pw = pam_modutil_getpwnam(handle, username))) {
 162                 pam_syslog(handle, LOG_ERR, "Failed to get user data.");
 163                 return PAM_USER_UNKNOWN;
 164         }
 165
 166         *ret_pw = pw;
 167         *ret_username = username;
 168
 169         return PAM_SUCCESS;
 170 }
 171
 172 static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach) {
 173         int r;
 174
 175         assert(handle);
 176         assert(group);
 177
 178         if (attach)
 179                 r = cg_create_and_attach("name=systemd", group, 0);
 180         else
 181                 r = cg_create("name=systemd", group);
 182
 183         if (r < 0) {
 184                 pam_syslog(handle, LOG_ERR, "Failed to create cgroup: %s", strerror(-r));
 185                 return PAM_SESSION_ERR;
 186         }
 187
 188         if ((r = cg_set_task_access("name=systemd", group, 0755, pw->pw_uid, pw->pw_gid)) < 0 ||
 189             (r = cg_set_group_access("name=systemd", group, 0755, pw->pw_uid, pw->pw_gid)) < 0) {
 190                 pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r));
 191                 return PAM_SESSION_ERR;
 192         }
 193
 194         return PAM_SUCCESS;
 195 }
 196
 197 _public_ PAM_EXTERN int pam_sm_open_session(
 198                 pam_handle_t *handle,
 199                 int flags,
 200                 int argc, const char **argv) {
 201
 202         const char *username = NULL;
 203         struct passwd *pw;
 204         int r;
 205         char *buf = NULL;
 206         int lock_fd = -1;
 207         bool create_session = true;
 208
 209         assert(handle);
 210
 211         pam_syslog(handle, LOG_INFO, "pam-systemd initializing");
 212
 213         if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0)
 214                 return PAM_SESSION_ERR;
 215
 216         /* Make this a NOP on non-systemd systems */
 217         if (sd_booted() <= 0)
 218                 return PAM_SUCCESS;
 219
 220         if ((r = cgroup_init()) != 0) {
 221                 pam_syslog(handle, LOG_ERR, "libcgroup initialization failed: %s", cgroup_strerror(r));
 222                 r = PAM_SESSION_ERR;
 223                 goto finish;
 224         }
 225
 226         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
 227                 goto finish;
 228
 229         if (safe_mkdir(RUNTIME_DIR "/user", 0755, 0, 0) < 0) {
 230                 pam_syslog(handle, LOG_ERR, "Failed to create runtime directory: %m");
 231                 r = PAM_SYSTEM_ERR;
 232                 goto finish;
 233         }
 234
 235         if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
 236                 pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
 237                 r = PAM_SYSTEM_ERR;
 238                 goto finish;
 239         }
 240
 241         /* Create /var/run/$USER */
 242         free(buf);
 243         if (asprintf(&buf, RUNTIME_DIR "/user/%s", username) < 0) {
 244                 r = PAM_BUF_ERR;
 245                 goto finish;
 246         }
 247
 248         if (safe_mkdir(buf, 0700, pw->pw_uid, pw->pw_gid) < 0) {
 249                 pam_syslog(handle, LOG_WARNING, "Failed to create runtime directory: %m");
 250                 r = PAM_SYSTEM_ERR;
 251                 goto finish;
 252         } else if ((r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", buf, 0)) != PAM_SUCCESS) {
 253                 pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
 254                 goto finish;
 255         }
 256
 257         free(buf);
 258         buf = NULL;
 259
 260         if (create_session) {
 261                 const char *cookie;
 262
 263                 /* Reuse or create XDG session ID */
 264                 if (!(cookie = pam_getenv(handle, "XDG_SESSION_COOKIE"))) {
 265                         if (!(buf = generate_session_cookie())) {
 266                                 r = PAM_BUF_ERR;
 267                                 goto finish;
 268                         }
 269
 270                         if ((r = pam_misc_setenv(handle, "XDG_SESSION_COOKIE", buf, 0)) != PAM_SUCCESS) {
 271                                 pam_syslog(handle, LOG_ERR, "Failed to set cookie.");
 272                                 goto finish;
 273                         }
 274
 275                         if (!(cookie = pam_getenv(handle, "XDG_SESSION_COOKIE"))) {
 276                                 pam_syslog(handle, LOG_ERR, "Failed to get cookie.");
 277                                 r = PAM_SESSION_ERR;
 278                                 goto finish;
 279                         }
 280                 }
 281
 282                 r = asprintf(&buf, "/user/%s/%s", username, cookie);
 283         } else
 284                 r = asprintf(&buf, "/user/%s/no-session", username);
 285
 286         if (r < 0) {
 287                 r = PAM_BUF_ERR;
 288                 goto finish;
 289         }
 290
 291         if ((r = create_user_group(handle, buf, pw, true)) != PAM_SUCCESS)
 292                 goto finish;
 293
 294         r = PAM_SUCCESS;
 295
 296 finish:
 297         free(buf);
 298
 299         if (lock_fd >= 0)
 300                 close_nointr_nofail(lock_fd);
 301
 302         return r;
 303 }
 304
 305 static int session_remains(pam_handle_t *handle, const char *user_path) {
 306         struct cgroup_file_info info;
 307         int level = 0, r;
 308         void *iterator = NULL;
 309         bool remains = false;
 310
 311         zero(info);
 312
 313         r = cgroup_walk_tree_begin("name=systemd", user_path, 0, &iterator, &info, &level);
 314         while (r == 0) {
 315
 316                 if (info.type != CGROUP_FILE_TYPE_DIR)
 317                         goto next;
 318
 319                 if (streq(info.path, ""))
 320                         goto next;
 321
 322                 if (streq(info.path, "no-session"))
 323                         goto next;
 324
 325                 remains = true;
 326                 break;
 327
 328         next:
 329
 330                 r = cgroup_walk_tree_next(0, &iterator, &info, level);
 331         }
 332
 333
 334         if (remains)
 335                 r = 1;
 336         else if (r == 0 || r == ECGEOF)
 337                 r = 0;
 338         else
 339                 r = cg_translate_error(r, errno);
 340
 341         assert_se(cgroup_walk_tree_end(&iterator) == 0);
 342
 343         return r;
 344 }
 345
 346 _public_ PAM_EXTERN int pam_sm_close_session(
 347                 pam_handle_t *handle,
 348                 int flags,
 349                 int argc, const char **argv) {
 350
 351         const char *username = NULL;
 352         bool kill_session = false;
 353         bool kill_user = false;
 354         int lock_fd = -1, r;
 355         char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
 356         const char *cookie;
 357         struct passwd *pw;
 358
 359         assert(handle);
 360
 361         if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user) < 0)
 362                 return PAM_SESSION_ERR;
 363
 364         /* Make this a NOP on non-systemd systems */
 365         if (sd_booted() <= 0)
 366                 return PAM_SUCCESS;
 367
 368         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
 369                 goto finish;
 370
 371         if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
 372                 pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
 373                 r = PAM_SYSTEM_ERR;
 374                 goto finish;
 375         }
 376
 377         if (asprintf(&user_path, "/user/%s", username) < 0) {
 378                 r = PAM_BUF_ERR;
 379                 goto finish;
 380         }
 381
 382         if ((cookie = pam_getenv(handle, "XDG_SESSION_COOKIE"))) {
 383
 384                 if (asprintf(&session_path, "/user/%s/%s", username, cookie) < 0 ||
 385                     asprintf(&nosession_path, "/user/%s/no-session", username) < 0) {
 386                         r = PAM_BUF_ERR;
 387                         goto finish;
 388                 }
 389
 390                 if (kill_session)  {
 391                         pam_syslog(handle, LOG_INFO, "KILLING ENTER");
 392
 393                         /* Kill processes in session cgroup */
 394                         if ((r = cg_kill_recursive_and_wait("name=systemd", session_path)) < 0)
 395                                 pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r));
 396
 397                         pam_syslog(handle, LOG_INFO, "KILLING EXIT");
 398
 399                 } else  {
 400                         /* Migrate processes from session to
 401                          * no-session cgroup. First, try to create the
 402                          * no-session group in case it doesn't exist
 403                          * yet. */
 404                         create_user_group(handle, nosession_path, pw, 0);
 405
 406                         if ((r = cg_migrate_recursive("name=systemd", session_path, nosession_path, false)) < 0)
 407                                 pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r));
 408                 }
 409
 410                 /* Delete session cgroup */
 411                 if (r < 0)
 412                         pam_syslog(handle, LOG_INFO, "Couldn't empty session cgroup, not deleting.");
 413                 else {
 414                         if ((r = cg_delete("name=systemd", session_path)) < 0)
 415                                 pam_syslog(handle, LOG_ERR, "Failed to delete session cgroup: %s", strerror(-r));
 416                 }
 417         }
 418
 419         /* GC user tree */
 420         cg_trim("name=systemd", user_path, false);
 421
 422         if ((r = session_remains(handle, user_path)) < 0)
 423                 pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
 424
 425         /* Kill user processes not attached to any session */
 426         if (kill_user && r == 0) {
 427
 428                 /* Kill no-session cgroup */
 429                 if ((r = cg_kill_recursive_and_wait("name=systemd", user_path)) < 0)
 430                         pam_syslog(handle, LOG_ERR, "Failed to kill user cgroup: %s", strerror(-r));
 431         } else {
 432
 433                 if ((r = cg_is_empty_recursive("name=systemd", user_path, true)) < 0)
 434                         pam_syslog(handle, LOG_ERR, "Failed to check user cgroup: %s", strerror(-r));
 435
 436                 /* If we managed to kill somebody, don't cleanup the cgroup. */
 437                 if (r == 0)
 438                         r = -EBUSY;
 439         }
 440
 441         if (r >= 0) {
 442                 const char *runtime_dir;
 443
 444                 /* Remove user cgroup */
 445                 if ((r = cg_delete("name=systemd", user_path)) < 0)
 446                         pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r));
 447
 448                 /* This will migrate us to the /user cgroup. */
 449
 450                 if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR")))
 451                         if ((r = rm_rf(runtime_dir, false, true)) < 0)
 452                                 pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r));
 453         }
 454
 455         r = PAM_SUCCESS;
 456
 457 finish:
 458         if (lock_fd >= 0)
 459                 close_nointr_nofail(lock_fd);
 460
 461         free(session_path);
 462         free(nosession_path);
 463         free(user_path);
 464
 465         return r;
 466 }