X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fpam-module.c;h=78f9b30d5bffa8db425508cf5360570571d72374;hp=90da898ff84d50bff3dfc031cdba534492489ea1;hb=1e2579fdeb7608719cb28da0b5061f48ba0efc34;hpb=25d934917d3dd2ab10e8acc9a6bacd8c7f2f1067 diff --git a/src/pam-module.c b/src/pam-module.c index 90da898ff..78f9b30d5 100644 --- a/src/pam-module.c +++ b/src/pam-module.c @@ -57,9 +57,9 @@ static int parse_argv(pam_handle_t *handle, for (i = 0; i < (unsigned) argc; i++) { int k; - if (startswith(argv[i], "kill-processes=")) { - if ((k = parse_boolean(argv[i] + 15)) < 0) { - pam_syslog(handle, LOG_ERR, "Failed to parse kill-processes= argument."); + if (startswith(argv[i], "kill-session-processes=")) { + if ((k = parse_boolean(argv[i] + 23)) < 0) { + pam_syslog(handle, LOG_ERR, "Failed to parse kill-session-processes= argument."); return k; } @@ -163,42 +163,24 @@ static int get_user_data( const char *username = NULL; struct passwd *pw = NULL; + uid_t uid; int r; - bool have_loginuid = false; - char *s; assert(handle); assert(ret_username); assert(ret_pw); - if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) { - /* Only use audit login uid if we are executed with - * sufficient capabilities so that pam_loginuid could - * do its job. If we are lacking the CAP_AUDIT_CONTROL - * capabality we most likely are being run in a - * container and /proc/self/loginuid is useless since - * it probably contains a uid of the host system. */ - - if (read_one_line_file("/proc/self/loginuid", &s) >= 0) { - uint32_t u; - - r = safe_atou32(s, &u); - free(s); - - if (r >= 0 && u != (uint32_t) -1 && u > 0) { - have_loginuid = true; - pw = pam_modutil_getpwuid(handle, u); - } - } - } - - if (!have_loginuid) { - if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) { + r = audit_loginuid_from_pid(0, &uid); + if (r >= 0) + pw = pam_modutil_getpwuid(handle, uid); + else { + r = pam_get_user(handle, &username, NULL); + if (r != PAM_SUCCESS) { pam_syslog(handle, LOG_ERR, "Failed to get user name."); return r; } - if (!username || !*username) { + if (isempty(username)) { pam_syslog(handle, LOG_ERR, "User name not valid."); return PAM_AUTH_ERR; } @@ -239,10 +221,10 @@ static bool check_user_lists( } STRV_FOREACH(l, kill_exclude_users) { - uint32_t id; + uid_t u; - if (safe_atou32(*l, &id) >= 0) - if ((uid_t) id == uid) + if (parse_uid(*l, &u) >= 0) + if (u == uid) return false; if (name && streq(name, *l)) @@ -253,10 +235,10 @@ static bool check_user_lists( return true; STRV_FOREACH(l, kill_only_users) { - uint32_t id; + uid_t u; - if (safe_atou32(*l, &id) >= 0) - if ((uid_t) id == uid) + if (parse_uid(*l, &u) >= 0) + if (u == uid) return true; if (name && streq(name, *l)) @@ -374,6 +356,46 @@ _public_ PAM_EXTERN int pam_sm_open_session( if (r != PAM_SUCCESS) goto finish; + /* Make sure we don't enter a loop by talking to + * systemd-logind when it is actually waiting for the + * background to finish start-up. If the service is + * "systemd-shared" we simply set XDG_RUNTIME_DIR and + * leave. */ + + pam_get_item(handle, PAM_SERVICE, (const void**) &service); + if (streq_ptr(service, "systemd-shared")) { + char *p, *rt = NULL; + + if (asprintf(&p, "/run/systemd/users/%lu", (unsigned long) pw->pw_uid) < 0) { + r = PAM_BUF_ERR; + goto finish; + } + + r = parse_env_file(p, NEWLINE, + "RUNTIME", &rt, + NULL); + free(p); + + if (r < 0 && r != -ENOENT) { + r = PAM_SESSION_ERR; + free(rt); + goto finish; + } + + if (rt) { + r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", rt, 0); + free(rt); + + if (r != PAM_SUCCESS) { + pam_syslog(handle, LOG_ERR, "Failed to set runtime dir."); + goto finish; + } + } + + r = PAM_SUCCESS; + goto finish; + } + if (kill_processes) kill_processes = check_user_lists(handle, pw->pw_uid, kill_only_users, kill_exclude_users); @@ -401,13 +423,12 @@ _public_ PAM_EXTERN int pam_sm_open_session( uid = pw->pw_uid; pid = getpid(); - pam_get_item(handle, PAM_SERVICE, (const void**) &service); pam_get_item(handle, PAM_XDISPLAY, (const void**) &display); pam_get_item(handle, PAM_TTY, (const void**) &tty); pam_get_item(handle, PAM_RUSER, (const void**) &remote_user); pam_get_item(handle, PAM_RHOST, (const void**) &remote_host); - seat = pam_getenv(handle, "LOGIN_SEAT"); - cvtnr = pam_getenv(handle, "LOGIN_VTNR"); + seat = pam_getenv(handle, "XDG_SEAT"); + cvtnr = pam_getenv(handle, "XDG_VTNR"); service = strempty(service); tty = strempty(tty); @@ -490,6 +511,8 @@ _public_ PAM_EXTERN int pam_sm_open_session( DBUS_TYPE_OBJECT_PATH, &object_path, DBUS_TYPE_STRING, &runtime_path, DBUS_TYPE_UNIX_FD, &session_fd, + DBUS_TYPE_STRING, &seat, + DBUS_TYPE_UINT32, &vtnr, DBUS_TYPE_INVALID)) { pam_syslog(handle, LOG_ERR, "Failed to parse message: %s", bus_error_message(&error)); r = PAM_SESSION_ERR; @@ -508,6 +531,26 @@ _public_ PAM_EXTERN int pam_sm_open_session( goto finish; } + if (!isempty(seat)) { + r = pam_misc_setenv(handle, "XDG_SEAT", seat, 0); + if (r != PAM_SUCCESS) { + pam_syslog(handle, LOG_ERR, "Failed to set seat."); + goto finish; + } + } + + if (vtnr > 0) { + char buf[11]; + snprintf(buf, sizeof(buf), "%u", vtnr); + char_array_0(buf); + + r = pam_misc_setenv(handle, "XDG_VTNR", buf, 0); + if (r != PAM_SUCCESS) { + pam_syslog(handle, LOG_ERR, "Failed to set virtual terminal number."); + goto finish; + } + } + if (session_fd >= 0) { r = pam_set_data(handle, "systemd.session-fd", INT_TO_PTR(session_fd+1), NULL); if (r != PAM_SUCCESS) {