pam: optionally keep processes of root user around

diff --git a/TODO b/TODO
index 61a8cfcdd13cb3023bdfd73a19111d98259a4416..48f4628abf38fbcba213810334227856450d1dea 100644 (file)
--- a/TODO
+++ b/TODO
@@ -4,8 +4,6 @@
 
 * figure out what happened to bluez patch
 
-* in pam_systemd: add option to kill normal user sessions on logout but only those with uid != 0
-
 * introduce StandardOutput=syslog+console and StandardOutput=kmsg+console to support fsck output at boot
 
 * Patch systemd-fsck to use -C and pass console fd to it

diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml
index cd806da93131987bcc6ddbd1408df1df124a9a03..eddd8e003f175d94c471a78993861bf5a9247744 100644 (file)
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@@ -201,6 +201,20 @@
                                 logout.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>keep-root=</option></term>
+
+                                <listitem><para>Takes a boolean
+                                argument. If true, all processes
+                                created by the root user (UID 0) during his
+                                session and from his session will be
+                                kept around after he logged out. This
+                                option allows cancelling the effect of
+                                <option>kill-session=1</option> and
+                                <option>kill-user=1</option> for the
+                                root user.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>controllers=</option></term>
 
@@ -230,7 +244,8 @@
                 <para>If the options are omitted they default to
                 <option>create-session=1</option>,
                 <option>kill-session=0</option>,
-                <option>kill-user=0</option>.</para>
+                <option>kill-user=0</option>,
+                <option>keep-root=1</option>.</para>
         </refsect1>
 
         <refsect1>

diff --git a/src/pam-module.c b/src/pam-module.c
index 6fbaecf51d83543e3a1ce7c945435ae71e1b055e..52507a4cbdb94b0a0516be3e277450c7b36ccf1a 100644 (file)
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle,
                       bool *create_session,
                       bool *kill_session,
                       bool *kill_user,
+                      bool *keep_root,
                       char ***controllers) {
 
         unsigned i;
@@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle,
                         if (kill_user)
                                 *kill_user = k;
 
+                } else if (startswith(argv[i], "keep-root=")) {
+                        if ((k = parse_boolean(argv[i] + 10)) < 0) {
+                                pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument.");
+                                return k;
+                        }
+
+                        if (keep_root)
+                                *keep_root = k;
+
                 } else if (startswith(argv[i], "controllers=")) {
 
                         if (controllers) {
@@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         if (sd_booted() <= 0)
                 return PAM_SUCCESS;
 
-        if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0)
+        if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0)
                 return PAM_SESSION_ERR;
 
         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         const char *username = NULL;
         bool kill_session = false;
         bool kill_user = false;
+        bool keep_root = true;
         int lock_fd = -1, r;
         char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
         const char *id;
@@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
         if (sd_booted() <= 0)
                 return PAM_SUCCESS;
 
-        if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0)
+        if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0)
                 return PAM_SESSION_ERR;
 
         if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
                         goto finish;
                 }
 
-                if (kill_session)  {
+                if (kill_session && (pw->pw_uid != 0 || !keep_root))  {
                         pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
 
                         /* Kill processes in session cgroup, and delete it */
@@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
                 pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
 
         /* Kill user processes not attached to any session */
-        if (kill_user && r == 0) {
+        if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) {
 
                 /* Kill user cgroup */
                 if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)