2017-11-18 17:09:20 +01:00
|
|
|
/* SPDX-License-Identifier: LGPL-2.1+ */
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2015-10-24 23:30:40 +02:00
|
|
|
#include <endian.h>
|
2010-06-21 23:27:18 +02:00
|
|
|
#include <errno.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <pwd.h>
|
|
|
|
|
#include <security/_pam_macros.h>
|
|
|
|
|
#include <security/pam_ext.h>
|
|
|
|
|
#include <security/pam_misc.h>
|
2015-10-24 23:30:40 +02:00
|
|
|
#include <security/pam_modules.h>
|
|
|
|
|
#include <security/pam_modutil.h>
|
|
|
|
|
#include <sys/file.h>
|
2019-03-27 11:32:41 +01:00
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <unistd.h>
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2015-10-27 03:01:06 +01:00
|
|
|
#include "alloc-util.h"
|
2015-10-26 23:32:16 +01:00
|
|
|
#include "audit-util.h"
|
2015-10-24 23:30:40 +02:00
|
|
|
#include "bus-common-errors.h"
|
|
|
|
|
#include "bus-error.h"
|
2019-03-14 12:43:53 +01:00
|
|
|
#include "bus-internal.h"
|
2013-11-05 06:01:12 +01:00
|
|
|
#include "bus-util.h"
|
2018-07-20 11:35:57 +02:00
|
|
|
#include "cgroup-util.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "fd-util.h"
|
2013-02-14 12:26:13 +01:00
|
|
|
#include "fileio.h"
|
2016-11-07 16:14:59 +01:00
|
|
|
#include "format-util.h"
|
2015-05-18 17:10:07 +02:00
|
|
|
#include "hostname-util.h"
|
2015-10-24 23:30:40 +02:00
|
|
|
#include "login-util.h"
|
|
|
|
|
#include "macro.h"
|
2015-10-26 16:18:16 +01:00
|
|
|
#include "parse-util.h"
|
2018-07-20 11:35:57 +02:00
|
|
|
#include "path-util.h"
|
2017-07-20 16:19:18 +02:00
|
|
|
#include "process-util.h"
|
2015-10-24 23:30:40 +02:00
|
|
|
#include "socket-util.h"
|
2019-01-10 09:53:34 +01:00
|
|
|
#include "stdio-util.h"
|
2015-10-24 23:30:40 +02:00
|
|
|
#include "strv.h"
|
|
|
|
|
#include "terminal-util.h"
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2013-11-26 05:05:00 +01:00
|
|
|
static int parse_argv(
|
|
|
|
|
pam_handle_t *handle,
|
|
|
|
|
int argc, const char **argv,
|
|
|
|
|
const char **class,
|
2014-02-05 18:55:18 +01:00
|
|
|
const char **type,
|
2018-07-20 11:01:18 +02:00
|
|
|
const char **desktop,
|
2013-11-26 05:05:00 +01:00
|
|
|
bool *debug) {
|
2010-06-21 23:27:18 +02:00
|
|
|
|
|
|
|
|
unsigned i;
|
|
|
|
|
|
|
|
|
|
assert(argc >= 0);
|
|
|
|
|
assert(argc == 0 || argv);
|
|
|
|
|
|
2014-02-05 18:55:18 +01:00
|
|
|
for (i = 0; i < (unsigned) argc; i++) {
|
2013-07-02 01:46:30 +02:00
|
|
|
if (startswith(argv[i], "class=")) {
|
2012-12-24 14:25:58 +01:00
|
|
|
if (class)
|
|
|
|
|
*class = argv[i] + 6;
|
|
|
|
|
|
2014-02-05 18:55:18 +01:00
|
|
|
} else if (startswith(argv[i], "type=")) {
|
|
|
|
|
if (type)
|
|
|
|
|
*type = argv[i] + 5;
|
|
|
|
|
|
2018-07-20 11:01:18 +02:00
|
|
|
} else if (startswith(argv[i], "desktop=")) {
|
|
|
|
|
if (desktop)
|
|
|
|
|
*desktop = argv[i] + 8;
|
|
|
|
|
|
2013-10-31 05:58:25 +01:00
|
|
|
} else if (streq(argv[i], "debug")) {
|
|
|
|
|
if (debug)
|
|
|
|
|
*debug = true;
|
2013-07-02 01:46:30 +02:00
|
|
|
|
2013-10-31 05:58:25 +01:00
|
|
|
} else if (startswith(argv[i], "debug=")) {
|
|
|
|
|
int k;
|
2011-05-27 01:29:34 +02:00
|
|
|
|
2013-10-31 05:58:25 +01:00
|
|
|
k = parse_boolean(argv[i] + 6);
|
|
|
|
|
if (k < 0)
|
|
|
|
|
pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring.");
|
|
|
|
|
else if (debug)
|
2011-05-27 01:29:34 +02:00
|
|
|
*debug = k;
|
|
|
|
|
|
2013-10-31 05:58:25 +01:00
|
|
|
} else
|
2013-07-02 01:46:30 +02:00
|
|
|
pam_syslog(handle, LOG_WARNING, "Unknown parameter '%s', ignoring", argv[i]);
|
2014-02-05 18:55:18 +01:00
|
|
|
}
|
2010-06-21 23:27:18 +02:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int get_user_data(
|
|
|
|
|
pam_handle_t *handle,
|
|
|
|
|
const char **ret_username,
|
|
|
|
|
struct passwd **ret_pw) {
|
|
|
|
|
|
2010-11-16 00:10:57 +01:00
|
|
|
const char *username = NULL;
|
|
|
|
|
struct passwd *pw = NULL;
|
2010-06-21 23:27:18 +02:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(handle);
|
|
|
|
|
assert(ret_username);
|
|
|
|
|
assert(ret_pw);
|
|
|
|
|
|
2013-11-26 05:05:00 +01:00
|
|
|
r = pam_get_user(handle, &username, NULL);
|
|
|
|
|
if (r != PAM_SUCCESS) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to get user name.");
|
|
|
|
|
return r;
|
|
|
|
|
}
|
2010-11-16 00:10:57 +01:00
|
|
|
|
2013-11-26 05:05:00 +01:00
|
|
|
if (isempty(username)) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "User name not valid.");
|
|
|
|
|
return PAM_AUTH_ERR;
|
2010-06-21 23:27:18 +02:00
|
|
|
}
|
|
|
|
|
|
2013-11-26 05:05:00 +01:00
|
|
|
pw = pam_modutil_getpwnam(handle, username);
|
2010-11-16 00:10:57 +01:00
|
|
|
if (!pw) {
|
2010-06-21 23:27:18 +02:00
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to get user data.");
|
|
|
|
|
return PAM_USER_UNKNOWN;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*ret_pw = pw;
|
2014-11-15 23:43:09 +01:00
|
|
|
*ret_username = username;
|
2010-06-21 23:27:18 +02:00
|
|
|
|
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-14 12:27:52 +01:00
|
|
|
static bool display_is_local(const char *display) {
|
|
|
|
|
assert(display);
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
display[0] == ':' &&
|
|
|
|
|
display[1] >= '0' &&
|
|
|
|
|
display[1] <= '9';
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-20 11:36:10 +02:00
|
|
|
static int socket_from_display(const char *display, char **path) {
|
|
|
|
|
size_t k;
|
|
|
|
|
char *f, *c;
|
|
|
|
|
|
|
|
|
|
assert(display);
|
|
|
|
|
assert(path);
|
|
|
|
|
|
|
|
|
|
if (!display_is_local(display))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
k = strspn(display+1, "0123456789");
|
|
|
|
|
|
|
|
|
|
f = new(char, STRLEN("/tmp/.X11-unix/X") + k + 1);
|
|
|
|
|
if (!f)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
c = stpcpy(f, "/tmp/.X11-unix/X");
|
|
|
|
|
memcpy(c, display+1, k);
|
|
|
|
|
c[k] = 0;
|
|
|
|
|
|
|
|
|
|
*path = f;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-06-27 22:44:12 +02:00
|
|
|
static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
|
2018-10-15 13:58:31 +02:00
|
|
|
union sockaddr_union sa = {};
|
2013-11-26 05:05:00 +01:00
|
|
|
_cleanup_free_ char *p = NULL, *tty = NULL;
|
|
|
|
|
_cleanup_close_ int fd = -1;
|
2011-06-27 22:44:12 +02:00
|
|
|
struct ucred ucred;
|
2018-10-15 13:58:31 +02:00
|
|
|
int v, r, salen;
|
2011-06-27 22:44:12 +02:00
|
|
|
|
|
|
|
|
assert(display);
|
|
|
|
|
assert(vtnr);
|
|
|
|
|
|
|
|
|
|
/* We deduce the X11 socket from the display name, then use
|
|
|
|
|
* SO_PEERCRED to determine the X11 server process, ask for
|
|
|
|
|
* the controlling tty of that and if it's a VC then we know
|
|
|
|
|
* the seat and the virtual terminal. Sounds ugly, is only
|
|
|
|
|
* semi-ugly. */
|
|
|
|
|
|
|
|
|
|
r = socket_from_display(display, &p);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
2018-10-15 13:58:31 +02:00
|
|
|
salen = sockaddr_un_set_path(&sa.un, p);
|
|
|
|
|
if (salen < 0)
|
|
|
|
|
return salen;
|
2011-06-27 22:44:12 +02:00
|
|
|
|
|
|
|
|
fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
|
2013-03-25 00:59:00 +01:00
|
|
|
if (fd < 0)
|
2011-06-27 22:44:12 +02:00
|
|
|
return -errno;
|
|
|
|
|
|
2018-10-15 13:58:31 +02:00
|
|
|
if (connect(fd, &sa.sa, salen) < 0)
|
2011-06-27 22:44:12 +02:00
|
|
|
return -errno;
|
|
|
|
|
|
2013-12-24 15:53:04 +01:00
|
|
|
r = getpeercred(fd, &ucred);
|
2011-06-27 22:44:12 +02:00
|
|
|
if (r < 0)
|
2013-12-24 15:53:04 +01:00
|
|
|
return r;
|
2011-06-27 22:44:12 +02:00
|
|
|
|
|
|
|
|
r = get_ctty(ucred.pid, NULL, &tty);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
v = vtnr_from_tty(tty);
|
|
|
|
|
if (v < 0)
|
|
|
|
|
return v;
|
|
|
|
|
else if (v == 0)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
2012-01-13 20:51:58 +01:00
|
|
|
if (seat)
|
|
|
|
|
*seat = "seat0";
|
2011-06-27 22:44:12 +02:00
|
|
|
*vtnr = (uint32_t) v;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-04 11:19:10 +01:00
|
|
|
static int export_legacy_dbus_address(
|
|
|
|
|
pam_handle_t *handle,
|
|
|
|
|
uid_t uid,
|
|
|
|
|
const char *runtime) {
|
|
|
|
|
|
Revert "pam_systemd: set $DBUS_SESSION_BUS_ADDRESS unconditionally"
This reverts commit 69bd76f2b90cd00c1596b2e2c05845a4d9596fd2.
$DBUS_SESSION_BUS_ADDRESS is again set only if the socket exists.
Quoting https://github.com/systemd/systemd/pull/11327#issuecomment-452019027:
> [setting $DBUS_SESSION_BUS_ADDRESS unconditionally] makes pam_systemd
> incompatible with installations and distributions where dbus was not
> configured with --enable-user-session, and the session dbus-daemon is started
> by autolaunching or dbus-launch (as opposed to dbus.socket). I don't think
> that's wise: using autolaunching or dbus-launch, and disabling or not
> installing dbus.socket and dbus.service on the systemd user instance, is our
> compatibility story for people who still need a D-Bus session bus per X11
> session for whatever reason.
>
> For example, Debian can currently do either way, with a dbus-user-session
> package strongly recommended but not actually mandatory. dbus-user-session
> requires libpam-systemd; if pam_systemd now requires dbus.socket (which is in
> the dbus-user-session package), that's a circular dependency, which we
> normally try hard to avoid.
For systems that use dbus.socket this doesn't matter much, because the
user session is ordered after the user managaer, which pulls in dbus.socket
very early. For example, when logging over ssh:
sshd[20796]: pam_systemd(sshd:session): pam-systemd initializing
sshd[20796]: pam_systemd(sshd:session): Asking logind to create session: uid=1001 pid=20796 service=sshd type=tty class=user desktop= seat= vtnr=0 tty= display= remote=yes remote_user= remote_host=::1
sshd[20796]: pam_systemd(sshd:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a
systemd[1]: Created slice User Slice of UID 1001.
systemd[1]: Starting User Runtime Directory /run/user/1001...
systemd-logind[1210]: New session 3796 of user guest.
systemd[1]: Started User Runtime Directory /run/user/1001.
systemd[1]: Starting User Manager for UID 1001...
systemd[20805]: pam_systemd(systemd-user:session): pam-systemd initializing
systemd[20805]: Starting D-Bus User Message Bus Socket.
...
systemd[20805]: Reached target Sockets.
systemd[20805]: Reached target Basic System.
systemd[1]: Started User Manager for UID 1001.
systemd[1]: Started Session 3796 of user guest.
sshd[20796]: pam_systemd(sshd:session): Reply from logind: id=3796 object_path=/org/freedesktop/login1/session/_33796 runtime_path=/run/user/1001 session_fd=13 seat= vtnr=0 original_uid=1001
sshd[20796]: pam_unix(sshd:session): session opened for user guest by (uid=0)
Hence, everything in the ssh session is ordered after the user instance.
And in the user instance, services should be orderd after dbus.socket using
inter-unit dependencies. dbus.socket in turns does
systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=%t/bus.
So there should be no race between starting of the dbus socket and our check
if it exists.
The alternative would be to set the "DBUS_SESSION_BUS_ADDRESS=unix:path=%s/bus;autolaunch:".
AFAICT, this would work as well. But I don't see any case where it actually works
better. Since this is an area with many compatiblity concerns, let's stick to
the previous setup which seems to work well.
2019-01-10 10:06:18 +01:00
|
|
|
const char *s;
|
|
|
|
|
_cleanup_free_ char *t = NULL;
|
2019-01-04 11:19:10 +01:00
|
|
|
int r = PAM_BUF_ERR;
|
|
|
|
|
|
Revert "pam_systemd: set $DBUS_SESSION_BUS_ADDRESS unconditionally"
This reverts commit 69bd76f2b90cd00c1596b2e2c05845a4d9596fd2.
$DBUS_SESSION_BUS_ADDRESS is again set only if the socket exists.
Quoting https://github.com/systemd/systemd/pull/11327#issuecomment-452019027:
> [setting $DBUS_SESSION_BUS_ADDRESS unconditionally] makes pam_systemd
> incompatible with installations and distributions where dbus was not
> configured with --enable-user-session, and the session dbus-daemon is started
> by autolaunching or dbus-launch (as opposed to dbus.socket). I don't think
> that's wise: using autolaunching or dbus-launch, and disabling or not
> installing dbus.socket and dbus.service on the systemd user instance, is our
> compatibility story for people who still need a D-Bus session bus per X11
> session for whatever reason.
>
> For example, Debian can currently do either way, with a dbus-user-session
> package strongly recommended but not actually mandatory. dbus-user-session
> requires libpam-systemd; if pam_systemd now requires dbus.socket (which is in
> the dbus-user-session package), that's a circular dependency, which we
> normally try hard to avoid.
For systems that use dbus.socket this doesn't matter much, because the
user session is ordered after the user managaer, which pulls in dbus.socket
very early. For example, when logging over ssh:
sshd[20796]: pam_systemd(sshd:session): pam-systemd initializing
sshd[20796]: pam_systemd(sshd:session): Asking logind to create session: uid=1001 pid=20796 service=sshd type=tty class=user desktop= seat= vtnr=0 tty= display= remote=yes remote_user= remote_host=::1
sshd[20796]: pam_systemd(sshd:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a
systemd[1]: Created slice User Slice of UID 1001.
systemd[1]: Starting User Runtime Directory /run/user/1001...
systemd-logind[1210]: New session 3796 of user guest.
systemd[1]: Started User Runtime Directory /run/user/1001.
systemd[1]: Starting User Manager for UID 1001...
systemd[20805]: pam_systemd(systemd-user:session): pam-systemd initializing
systemd[20805]: Starting D-Bus User Message Bus Socket.
...
systemd[20805]: Reached target Sockets.
systemd[20805]: Reached target Basic System.
systemd[1]: Started User Manager for UID 1001.
systemd[1]: Started Session 3796 of user guest.
sshd[20796]: pam_systemd(sshd:session): Reply from logind: id=3796 object_path=/org/freedesktop/login1/session/_33796 runtime_path=/run/user/1001 session_fd=13 seat= vtnr=0 original_uid=1001
sshd[20796]: pam_unix(sshd:session): session opened for user guest by (uid=0)
Hence, everything in the ssh session is ordered after the user instance.
And in the user instance, services should be orderd after dbus.socket using
inter-unit dependencies. dbus.socket in turns does
systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=%t/bus.
So there should be no race between starting of the dbus socket and our check
if it exists.
The alternative would be to set the "DBUS_SESSION_BUS_ADDRESS=unix:path=%s/bus;autolaunch:".
AFAICT, this would work as well. But I don't see any case where it actually works
better. Since this is an area with many compatiblity concerns, let's stick to
the previous setup which seems to work well.
2019-01-10 10:06:18 +01:00
|
|
|
/* We need to export $DBUS_SESSION_BUS_ADDRESS because various applications will not connect
|
|
|
|
|
* correctly to the bus without it. This setting matches what dbus.socket does for the user
|
|
|
|
|
* session using 'systemctl --user set-environment'. We want to have the same configuration
|
|
|
|
|
* in processes started from the PAM session.
|
|
|
|
|
*
|
|
|
|
|
* The setting of the address is guarded by the access() check because it is also possible to compile
|
|
|
|
|
* dbus without --enable-user-session, in which case this socket is not used, and
|
|
|
|
|
* $DBUS_SESSION_BUS_ADDRESS should not be set. An alternative approach would to not do the access()
|
|
|
|
|
* check here, and let applications try on their own, by using "unix:path=%s/bus;autolaunch:". But we
|
|
|
|
|
* expect the socket to be present by the time we do this check, so we can just as well check once
|
|
|
|
|
* here. */
|
|
|
|
|
|
|
|
|
|
s = strjoina(runtime, "/bus");
|
|
|
|
|
if (access(s, F_OK) < 0)
|
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
|
|
|
|
|
if (asprintf(&t, DEFAULT_USER_BUS_ADDRESS_FMT, runtime) < 0)
|
2019-01-04 11:19:10 +01:00
|
|
|
goto error;
|
|
|
|
|
|
Revert "pam_systemd: set $DBUS_SESSION_BUS_ADDRESS unconditionally"
This reverts commit 69bd76f2b90cd00c1596b2e2c05845a4d9596fd2.
$DBUS_SESSION_BUS_ADDRESS is again set only if the socket exists.
Quoting https://github.com/systemd/systemd/pull/11327#issuecomment-452019027:
> [setting $DBUS_SESSION_BUS_ADDRESS unconditionally] makes pam_systemd
> incompatible with installations and distributions where dbus was not
> configured with --enable-user-session, and the session dbus-daemon is started
> by autolaunching or dbus-launch (as opposed to dbus.socket). I don't think
> that's wise: using autolaunching or dbus-launch, and disabling or not
> installing dbus.socket and dbus.service on the systemd user instance, is our
> compatibility story for people who still need a D-Bus session bus per X11
> session for whatever reason.
>
> For example, Debian can currently do either way, with a dbus-user-session
> package strongly recommended but not actually mandatory. dbus-user-session
> requires libpam-systemd; if pam_systemd now requires dbus.socket (which is in
> the dbus-user-session package), that's a circular dependency, which we
> normally try hard to avoid.
For systems that use dbus.socket this doesn't matter much, because the
user session is ordered after the user managaer, which pulls in dbus.socket
very early. For example, when logging over ssh:
sshd[20796]: pam_systemd(sshd:session): pam-systemd initializing
sshd[20796]: pam_systemd(sshd:session): Asking logind to create session: uid=1001 pid=20796 service=sshd type=tty class=user desktop= seat= vtnr=0 tty= display= remote=yes remote_user= remote_host=::1
sshd[20796]: pam_systemd(sshd:session): Session limits: memory_max=n/a tasks_max=n/a cpu_weight=n/a io_weight=n/a
systemd[1]: Created slice User Slice of UID 1001.
systemd[1]: Starting User Runtime Directory /run/user/1001...
systemd-logind[1210]: New session 3796 of user guest.
systemd[1]: Started User Runtime Directory /run/user/1001.
systemd[1]: Starting User Manager for UID 1001...
systemd[20805]: pam_systemd(systemd-user:session): pam-systemd initializing
systemd[20805]: Starting D-Bus User Message Bus Socket.
...
systemd[20805]: Reached target Sockets.
systemd[20805]: Reached target Basic System.
systemd[1]: Started User Manager for UID 1001.
systemd[1]: Started Session 3796 of user guest.
sshd[20796]: pam_systemd(sshd:session): Reply from logind: id=3796 object_path=/org/freedesktop/login1/session/_33796 runtime_path=/run/user/1001 session_fd=13 seat= vtnr=0 original_uid=1001
sshd[20796]: pam_unix(sshd:session): session opened for user guest by (uid=0)
Hence, everything in the ssh session is ordered after the user instance.
And in the user instance, services should be orderd after dbus.socket using
inter-unit dependencies. dbus.socket in turns does
systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=%t/bus.
So there should be no race between starting of the dbus socket and our check
if it exists.
The alternative would be to set the "DBUS_SESSION_BUS_ADDRESS=unix:path=%s/bus;autolaunch:".
AFAICT, this would work as well. But I don't see any case where it actually works
better. Since this is an area with many compatiblity concerns, let's stick to
the previous setup which seems to work well.
2019-01-10 10:06:18 +01:00
|
|
|
r = pam_misc_setenv(handle, "DBUS_SESSION_BUS_ADDRESS", t, 0);
|
2019-01-04 11:19:10 +01:00
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
|
|
|
|
|
error:
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to set bus variable.");
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-17 16:42:44 +02:00
|
|
|
static int append_session_memory_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
|
|
|
|
|
uint64_t val;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
if (isempty(limit))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (streq(limit, "infinity")) {
|
|
|
|
|
r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", (uint64_t)-1);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2018-07-02 18:52:42 +02:00
|
|
|
r = parse_permille(limit);
|
2018-04-17 16:42:44 +02:00
|
|
|
if (r >= 0) {
|
2018-07-02 18:52:42 +02:00
|
|
|
r = sd_bus_message_append(m, "(sv)", "MemoryMaxScale", "u", (uint32_t) (((uint64_t) r * UINT32_MAX) / 1000U));
|
2018-04-17 16:42:44 +02:00
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
r = parse_size(limit, 1024, &val);
|
|
|
|
|
if (r >= 0) {
|
|
|
|
|
r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", val);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.limit: %s, ignoring.", limit);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-20 11:26:59 +02:00
|
|
|
static int append_session_tasks_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
|
2018-04-17 16:42:44 +02:00
|
|
|
uint64_t val;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
/* No need to parse "infinity" here, it will be set unconditionally later in manager_start_scope() */
|
|
|
|
|
if (isempty(limit) || streq(limit, "infinity"))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
r = safe_atou64(limit, &val);
|
|
|
|
|
if (r >= 0) {
|
|
|
|
|
r = sd_bus_message_append(m, "(sv)", "TasksMax", "t", val);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.limit: %s, ignoring.", limit);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int append_session_cg_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit, const char *field) {
|
|
|
|
|
uint64_t val;
|
|
|
|
|
int r;
|
|
|
|
|
|
2018-07-20 11:41:17 +02:00
|
|
|
if (isempty(limit))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
r = cg_weight_parse(limit, &val);
|
|
|
|
|
if (r >= 0) {
|
|
|
|
|
r = sd_bus_message_append(m, "(sv)", field, "t", val);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
} else if (streq(field, "CPUWeight"))
|
|
|
|
|
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.cpu_weight: %s, ignoring.", limit);
|
|
|
|
|
else
|
|
|
|
|
pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.io_weight: %s, ignoring.", limit);
|
2018-04-17 16:42:44 +02:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-20 10:58:27 +02:00
|
|
|
static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
|
|
|
|
|
const char *v;
|
|
|
|
|
|
|
|
|
|
assert(handle);
|
|
|
|
|
assert(key);
|
|
|
|
|
|
2019-04-27 02:22:40 +02:00
|
|
|
/* Looks for an environment variable, preferably in the environment block associated with the
|
2019-02-04 10:23:43 +01:00
|
|
|
* specified PAM handle, falling back to the process' block instead. Why check both? Because we want
|
|
|
|
|
* to permit configuration of session properties from unit files that invoke PAM services, so that
|
|
|
|
|
* PAM services don't have to be reworked to set systemd-specific properties, but these properties
|
|
|
|
|
* can still be set from the unit file Environment= block. */
|
2018-07-20 10:58:27 +02:00
|
|
|
|
|
|
|
|
v = pam_getenv(handle, key);
|
|
|
|
|
if (!isempty(v))
|
|
|
|
|
return v;
|
|
|
|
|
|
2019-02-04 10:23:43 +01:00
|
|
|
/* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
|
|
|
|
|
* they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
|
|
|
|
|
* currently don't (to be precise, they clean up the environment they pass to their children, but
|
|
|
|
|
* not their own environ[]). */
|
|
|
|
|
v = secure_getenv(key);
|
2018-07-20 10:58:27 +02:00
|
|
|
if (!isempty(v))
|
|
|
|
|
return v;
|
|
|
|
|
|
|
|
|
|
return fallback;
|
|
|
|
|
}
|
|
|
|
|
|
2018-07-20 11:27:55 +02:00
|
|
|
static int update_environment(pam_handle_t *handle, const char *key, const char *value) {
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(handle);
|
|
|
|
|
assert(key);
|
|
|
|
|
|
|
|
|
|
/* Updates the environment, but only if there's actually a value set. Also, log about errors */
|
|
|
|
|
|
|
|
|
|
if (isempty(value))
|
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
|
|
|
|
|
r = pam_misc_setenv(handle, key, value, 0);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to set environment variable %s.", key);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-09 22:23:41 +02:00
|
|
|
static bool validate_runtime_directory(pam_handle_t *handle, const char *path, uid_t uid) {
|
|
|
|
|
struct stat st;
|
|
|
|
|
|
|
|
|
|
assert(path);
|
|
|
|
|
|
|
|
|
|
/* Just some extra paranoia: let's not set $XDG_RUNTIME_DIR if the directory we'd set it to isn't actually set
|
|
|
|
|
* up properly for us. */
|
|
|
|
|
|
|
|
|
|
if (lstat(path, &st) < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to stat() runtime directory '%s': %s", path, strerror(errno));
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!S_ISDIR(st.st_mode)) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Runtime directory '%s' is not actually a directory.", path);
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (st.st_uid != uid) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Runtime directory '%s' is not owned by UID " UID_FMT ", as it should.", path, uid);
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
pam_syslog(handle, LOG_WARNING, "Not setting $XDG_RUNTIME_DIR, as the directory is not in order.");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2011-06-24 18:50:50 +02:00
|
|
|
_public_ PAM_EXTERN int pam_sm_open_session(
|
2010-06-21 23:27:18 +02:00
|
|
|
pam_handle_t *handle,
|
|
|
|
|
int flags,
|
|
|
|
|
int argc, const char **argv) {
|
|
|
|
|
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
2018-04-17 16:42:44 +02:00
|
|
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL, *reply = NULL;
|
2013-11-07 00:20:11 +01:00
|
|
|
const char
|
|
|
|
|
*username, *id, *object_path, *runtime_path,
|
|
|
|
|
*service = NULL,
|
|
|
|
|
*tty = NULL, *display = NULL,
|
|
|
|
|
*remote_user = NULL, *remote_host = NULL,
|
|
|
|
|
*seat = NULL,
|
|
|
|
|
*type = NULL, *class = NULL,
|
2018-07-20 11:01:18 +02:00
|
|
|
*class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL, *desktop_pam = NULL,
|
2018-04-17 16:42:44 +02:00
|
|
|
*memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL;
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
|
2013-11-07 00:20:11 +01:00
|
|
|
int session_fd = -1, existing, r;
|
|
|
|
|
bool debug = false, remote;
|
|
|
|
|
struct passwd *pw;
|
2013-11-26 05:05:00 +01:00
|
|
|
uint32_t vtnr = 0;
|
|
|
|
|
uid_t original_uid;
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
assert(handle);
|
2011-06-24 18:50:50 +02:00
|
|
|
|
2013-03-26 11:36:31 +01:00
|
|
|
/* Make this a NOP on non-logind systems */
|
|
|
|
|
if (!logind_running())
|
2010-06-21 23:27:18 +02:00
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
|
2011-02-13 18:21:11 +01:00
|
|
|
if (parse_argv(handle,
|
|
|
|
|
argc, argv,
|
2013-07-02 01:46:30 +02:00
|
|
|
&class_pam,
|
2014-02-05 18:55:18 +01:00
|
|
|
&type_pam,
|
2018-07-20 11:01:18 +02:00
|
|
|
&desktop_pam,
|
2013-11-06 23:24:16 +01:00
|
|
|
&debug) < 0)
|
|
|
|
|
return PAM_SESSION_ERR;
|
2010-11-17 20:22:07 +01:00
|
|
|
|
2013-11-26 05:05:00 +01:00
|
|
|
if (debug)
|
2014-02-10 16:37:09 +01:00
|
|
|
pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing");
|
2013-11-26 05:05:00 +01:00
|
|
|
|
2011-06-24 18:50:50 +02:00
|
|
|
r = get_user_data(handle, &username, &pw);
|
2013-11-06 23:24:16 +01:00
|
|
|
if (r != PAM_SUCCESS) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to get user data.");
|
|
|
|
|
return r;
|
|
|
|
|
}
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2011-06-30 04:31:49 +02:00
|
|
|
/* Make sure we don't enter a loop by talking to
|
|
|
|
|
* systemd-logind when it is actually waiting for the
|
|
|
|
|
* background to finish start-up. If the service is
|
Add pam configuration to allow user sessions to work out of the box
systemd-logind will start user@.service. user@.service unit uses
PAM with service name 'systemd-user' to perform account and session
managment tasks. Previously, the name was 'systemd-shared', it is
now changed to 'systemd-user'.
Most PAM installations use one common setup for different callers.
Based on a quick poll, distributions fall into two camps: those that
have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia,
Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE).
Distributions that have system-auth have just one configuration file
that contains auth, password, account, and session blocks, and
distributions that have common-auth also have common-session,
common-password, and common-account. It is thus impossible to use one
configuration file which would work for everybody. systemd-user now
refers to system-auth, because it seems that the approach with one
file is more popular and also easier, so let's follow that.
2013-09-11 20:31:14 +02:00
|
|
|
* "systemd-user" we simply set XDG_RUNTIME_DIR and
|
2011-06-30 04:31:49 +02:00
|
|
|
* leave. */
|
|
|
|
|
|
|
|
|
|
pam_get_item(handle, PAM_SERVICE, (const void**) &service);
|
Add pam configuration to allow user sessions to work out of the box
systemd-logind will start user@.service. user@.service unit uses
PAM with service name 'systemd-user' to perform account and session
managment tasks. Previously, the name was 'systemd-shared', it is
now changed to 'systemd-user'.
Most PAM installations use one common setup for different callers.
Based on a quick poll, distributions fall into two camps: those that
have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia,
Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE).
Distributions that have system-auth have just one configuration file
that contains auth, password, account, and session blocks, and
distributions that have common-auth also have common-session,
common-password, and common-account. It is thus impossible to use one
configuration file which would work for everybody. systemd-user now
refers to system-auth, because it seems that the approach with one
file is more popular and also easier, so let's follow that.
2013-09-11 20:31:14 +02:00
|
|
|
if (streq_ptr(service, "systemd-user")) {
|
2019-01-10 09:53:34 +01:00
|
|
|
char rt[STRLEN("/run/user/") + DECIMAL_STR_MAX(uid_t)];
|
2011-06-30 04:31:49 +02:00
|
|
|
|
2019-01-10 09:53:34 +01:00
|
|
|
xsprintf(rt, "/run/user/"UID_FMT, pw->pw_uid);
|
2018-10-09 22:23:41 +02:00
|
|
|
if (validate_runtime_directory(handle, rt, pw->pw_uid)) {
|
|
|
|
|
r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", rt, 0);
|
|
|
|
|
if (r != PAM_SUCCESS) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
|
|
|
|
|
return r;
|
|
|
|
|
}
|
2011-06-30 04:31:49 +02:00
|
|
|
}
|
|
|
|
|
|
2019-01-04 11:19:10 +01:00
|
|
|
r = export_legacy_dbus_address(handle, pw->pw_uid, rt);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
return r;
|
|
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
return PAM_SUCCESS;
|
2010-06-21 23:27:18 +02:00
|
|
|
}
|
|
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
/* Otherwise, we ask logind to create a session for us */
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2011-06-24 18:50:50 +02:00
|
|
|
pam_get_item(handle, PAM_XDISPLAY, (const void**) &display);
|
|
|
|
|
pam_get_item(handle, PAM_TTY, (const void**) &tty);
|
|
|
|
|
pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
|
|
|
|
|
pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
|
2012-10-01 20:50:00 +02:00
|
|
|
|
2018-07-20 10:58:27 +02:00
|
|
|
seat = getenv_harder(handle, "XDG_SEAT", NULL);
|
|
|
|
|
cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
|
|
|
|
|
type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
|
|
|
|
|
class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
|
2018-07-20 11:01:18 +02:00
|
|
|
desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
|
2014-02-05 20:34:11 +01:00
|
|
|
|
2011-06-24 19:42:45 +02:00
|
|
|
tty = strempty(tty);
|
2011-06-24 18:50:50 +02:00
|
|
|
|
2011-06-24 23:51:49 +02:00
|
|
|
if (strchr(tty, ':')) {
|
2018-07-23 13:02:58 +02:00
|
|
|
/* A tty with a colon is usually an X11 display, placed there to show up in utmp. We rearrange things
|
|
|
|
|
* and don't pretend that an X display was a tty. */
|
2011-06-24 23:51:49 +02:00
|
|
|
if (isempty(display))
|
|
|
|
|
display = tty;
|
2014-02-05 20:34:11 +01:00
|
|
|
tty = NULL;
|
2018-07-23 13:02:58 +02:00
|
|
|
|
2011-11-19 01:17:46 +01:00
|
|
|
} else if (streq(tty, "cron")) {
|
2018-07-23 13:02:58 +02:00
|
|
|
/* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but
|
|
|
|
|
* probably because it wants to set it to something as pam_time/pam_access/… require PAM_TTY to be set
|
|
|
|
|
* (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked
|
|
|
|
|
* off processes.) */
|
2012-12-23 22:31:17 +01:00
|
|
|
type = "unspecified";
|
2014-02-05 18:55:18 +01:00
|
|
|
class = "background";
|
2014-02-05 20:34:11 +01:00
|
|
|
tty = NULL;
|
2018-07-23 13:02:58 +02:00
|
|
|
|
2012-12-23 22:31:17 +01:00
|
|
|
} else if (streq(tty, "ssh")) {
|
2018-07-23 13:02:58 +02:00
|
|
|
/* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further
|
|
|
|
|
* details look for "PAM_TTY_KLUDGE" in the openssh sources). */
|
2012-12-23 22:31:17 +01:00
|
|
|
type ="tty";
|
2014-02-05 18:55:18 +01:00
|
|
|
class = "user";
|
2018-07-23 13:02:58 +02:00
|
|
|
tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though usually
|
|
|
|
|
* associated with a pty — won't be tracked by their tty in logind. This is because ssh
|
|
|
|
|
* does the PAM session registration early for new connections, and registers a pty only
|
|
|
|
|
* much later (this is because it doesn't know yet if it needs one at all, as whether to
|
|
|
|
|
* register a pty or not is negotiated much later in the protocol). */
|
|
|
|
|
|
2017-08-09 19:04:36 +02:00
|
|
|
} else
|
|
|
|
|
/* Chop off leading /dev prefix that some clients specify, but others do not. */
|
|
|
|
|
tty = skip_dev_prefix(tty);
|
2011-06-24 23:51:49 +02:00
|
|
|
|
2012-09-21 16:17:22 +02:00
|
|
|
/* If this fails vtnr will be 0, that's intended */
|
2011-06-27 22:44:12 +02:00
|
|
|
if (!isempty(cvtnr))
|
2015-04-13 04:41:20 +02:00
|
|
|
(void) safe_atou32(cvtnr, &vtnr);
|
2011-06-27 22:44:12 +02:00
|
|
|
|
2013-11-28 17:05:34 +01:00
|
|
|
if (!isempty(display) && !vtnr) {
|
2012-01-13 20:51:58 +01:00
|
|
|
if (isempty(seat))
|
2018-07-20 11:43:38 +02:00
|
|
|
(void) get_seat_from_display(display, &seat, &vtnr);
|
2012-01-13 20:51:58 +01:00
|
|
|
else if (streq(seat, "seat0"))
|
2018-07-20 11:43:38 +02:00
|
|
|
(void) get_seat_from_display(display, NULL, &vtnr);
|
2012-01-13 20:51:58 +01:00
|
|
|
}
|
2011-06-27 22:44:12 +02:00
|
|
|
|
2014-02-05 18:55:18 +01:00
|
|
|
if (seat && !streq(seat, "seat0") && vtnr != 0) {
|
2018-11-19 11:39:45 +01:00
|
|
|
if (debug)
|
|
|
|
|
pam_syslog(handle, LOG_DEBUG, "Ignoring vtnr %"PRIu32" for %s which is not seat0", vtnr, seat);
|
2014-01-24 19:23:01 +01:00
|
|
|
vtnr = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-05 18:55:18 +01:00
|
|
|
if (isempty(type))
|
2012-12-23 22:31:17 +01:00
|
|
|
type = !isempty(display) ? "x11" :
|
2014-02-05 18:55:18 +01:00
|
|
|
!isempty(tty) ? "tty" : "unspecified";
|
2011-06-24 18:50:50 +02:00
|
|
|
|
2012-02-14 21:33:51 +01:00
|
|
|
if (isempty(class))
|
2013-04-09 22:18:16 +02:00
|
|
|
class = streq(type, "unspecified") ? "background" : "user";
|
2012-02-14 21:33:51 +01:00
|
|
|
|
2014-07-02 13:41:31 +02:00
|
|
|
remote = !isempty(remote_host) && !is_localhost(remote_host);
|
2011-06-24 18:50:50 +02:00
|
|
|
|
2018-04-17 16:42:44 +02:00
|
|
|
(void) pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
|
|
|
|
|
(void) pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
|
|
|
|
|
(void) pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
|
|
|
|
|
(void) pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
|
|
|
|
|
|
2013-11-07 00:03:54 +01:00
|
|
|
/* Talk to logind over the message bus */
|
2013-11-06 23:24:16 +01:00
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
r = sd_bus_open_system(&bus);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to connect to system bus: %s", strerror(-r));
|
|
|
|
|
return PAM_SESSION_ERR;
|
2013-11-05 01:10:21 +01:00
|
|
|
}
|
|
|
|
|
|
2018-04-17 16:42:44 +02:00
|
|
|
if (debug) {
|
2011-12-14 01:25:47 +01:00
|
|
|
pam_syslog(handle, LOG_DEBUG, "Asking logind to create session: "
|
2015-01-21 04:22:15 +01:00
|
|
|
"uid="UID_FMT" pid="PID_FMT" service=%s type=%s class=%s desktop=%s seat=%s vtnr=%"PRIu32" tty=%s display=%s remote=%s remote_user=%s remote_host=%s",
|
2017-07-20 16:19:18 +02:00
|
|
|
pw->pw_uid, getpid_cached(),
|
2013-11-26 05:05:00 +01:00
|
|
|
strempty(service),
|
2014-02-08 18:12:20 +01:00
|
|
|
type, class, strempty(desktop),
|
2014-02-05 20:34:11 +01:00
|
|
|
strempty(seat), vtnr, strempty(tty), strempty(display),
|
2013-11-26 05:05:00 +01:00
|
|
|
yes_no(remote), strempty(remote_user), strempty(remote_host));
|
2018-04-17 16:42:44 +02:00
|
|
|
pam_syslog(handle, LOG_DEBUG, "Session limits: "
|
|
|
|
|
"memory_max=%s tasks_max=%s cpu_weight=%s io_weight=%s",
|
|
|
|
|
strna(memory_max), strna(tasks_max), strna(cpu_weight), strna(io_weight));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = sd_bus_message_new_method_call(
|
|
|
|
|
bus,
|
|
|
|
|
&m,
|
|
|
|
|
"org.freedesktop.login1",
|
|
|
|
|
"/org/freedesktop/login1",
|
|
|
|
|
"org.freedesktop.login1.Manager",
|
|
|
|
|
"CreateSession");
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to create CreateSession method call: %s", strerror(-r));
|
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = sd_bus_message_append(m, "uusssssussbss",
|
|
|
|
|
(uint32_t) pw->pw_uid,
|
2018-08-18 09:29:43 +02:00
|
|
|
0,
|
2018-04-17 16:42:44 +02:00
|
|
|
service,
|
|
|
|
|
type,
|
|
|
|
|
class,
|
|
|
|
|
desktop,
|
|
|
|
|
seat,
|
|
|
|
|
vtnr,
|
|
|
|
|
tty,
|
|
|
|
|
display,
|
|
|
|
|
remote,
|
|
|
|
|
remote_user,
|
|
|
|
|
remote_host);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror(-r));
|
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = sd_bus_message_open_container(m, 'a', "(sv)");
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to open message container: %s", strerror(-r));
|
|
|
|
|
return PAM_SYSTEM_ERR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = append_session_memory_max(handle, m, memory_max);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
|
|
|
|
|
|
r = append_session_tasks_max(handle, m, tasks_max);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
|
|
|
|
|
|
r = append_session_cg_weight(handle, m, cpu_weight, "CPUWeight");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
|
|
|
|
|
|
r = append_session_cg_weight(handle, m, io_weight, "IOWeight");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
|
|
|
|
|
|
r = sd_bus_message_close_container(m);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to close message container: %s", strerror(-r));
|
|
|
|
|
return PAM_SYSTEM_ERR;
|
|
|
|
|
}
|
2011-12-14 01:25:47 +01:00
|
|
|
|
2018-04-17 16:42:44 +02:00
|
|
|
r = sd_bus_call(bus, m, 0, &error, &reply);
|
2013-11-05 06:01:12 +01:00
|
|
|
if (r < 0) {
|
2015-07-07 19:38:41 +02:00
|
|
|
if (sd_bus_error_has_name(&error, BUS_ERROR_SESSION_BUSY)) {
|
2018-11-19 11:39:45 +01:00
|
|
|
if (debug)
|
2019-01-09 12:58:00 +01:00
|
|
|
pam_syslog(handle, LOG_DEBUG, "Not creating session: %s", bus_error_message(&error, r));
|
2015-07-07 19:38:41 +02:00
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
} else {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to create session: %s", bus_error_message(&error, r));
|
|
|
|
|
return PAM_SYSTEM_ERR;
|
|
|
|
|
}
|
2011-06-24 18:50:50 +02:00
|
|
|
}
|
2010-11-17 20:22:07 +01:00
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
r = sd_bus_message_read(reply,
|
2013-11-26 05:05:00 +01:00
|
|
|
"soshusub",
|
2013-11-05 06:01:12 +01:00
|
|
|
&id,
|
|
|
|
|
&object_path,
|
|
|
|
|
&runtime_path,
|
|
|
|
|
&session_fd,
|
2013-11-26 05:05:00 +01:00
|
|
|
&original_uid,
|
2013-11-05 06:01:12 +01:00
|
|
|
&seat,
|
|
|
|
|
&vtnr,
|
|
|
|
|
&existing);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to parse message: %s", strerror(-r));
|
2013-11-06 23:24:16 +01:00
|
|
|
return PAM_SESSION_ERR;
|
2011-06-24 18:50:50 +02:00
|
|
|
}
|
2010-11-17 20:22:07 +01:00
|
|
|
|
2011-12-14 01:25:47 +01:00
|
|
|
if (debug)
|
|
|
|
|
pam_syslog(handle, LOG_DEBUG, "Reply from logind: "
|
2013-11-26 05:05:00 +01:00
|
|
|
"id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u original_uid=%u",
|
|
|
|
|
id, object_path, runtime_path, session_fd, seat, vtnr, original_uid);
|
2011-12-14 01:25:47 +01:00
|
|
|
|
2018-07-20 11:27:55 +02:00
|
|
|
r = update_environment(handle, "XDG_SESSION_ID", id);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
2013-11-06 23:24:16 +01:00
|
|
|
return r;
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2013-11-26 05:05:00 +01:00
|
|
|
if (original_uid == pw->pw_uid) {
|
|
|
|
|
/* Don't set $XDG_RUNTIME_DIR if the user we now
|
|
|
|
|
* authenticated for does not match the original user
|
|
|
|
|
* of the session. We do this in order not to result
|
|
|
|
|
* in privileged apps clobbering the runtime directory
|
|
|
|
|
* unnecessarily. */
|
|
|
|
|
|
2018-10-09 22:23:41 +02:00
|
|
|
if (validate_runtime_directory(handle, runtime_path, pw->pw_uid)) {
|
|
|
|
|
r = update_environment(handle, "XDG_RUNTIME_DIR", runtime_path);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
return r;
|
|
|
|
|
}
|
2019-01-04 11:19:10 +01:00
|
|
|
|
|
|
|
|
r = export_legacy_dbus_address(handle, pw->pw_uid, runtime_path);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
return r;
|
2011-06-24 18:50:50 +02:00
|
|
|
}
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2018-07-20 11:28:37 +02:00
|
|
|
/* Most likely we got the session/type/class from environment variables, but might have gotten the data
|
|
|
|
|
* somewhere else (for example PAM module parameters). Let's now update the environment variables, so that this
|
|
|
|
|
* data is inherited into the session processes, and programs can rely on them to be initialized. */
|
|
|
|
|
|
|
|
|
|
r = update_environment(handle, "XDG_SESSION_TYPE", type);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
r = update_environment(handle, "XDG_SESSION_CLASS", class);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
r = update_environment(handle, "XDG_SESSION_DESKTOP", desktop);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
return r;
|
|
|
|
|
|
2018-07-20 11:27:55 +02:00
|
|
|
r = update_environment(handle, "XDG_SEAT", seat);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
|
|
|
|
return r;
|
2011-07-26 23:09:34 +02:00
|
|
|
|
|
|
|
|
if (vtnr > 0) {
|
2013-11-07 16:42:36 +01:00
|
|
|
char buf[DECIMAL_STR_MAX(vtnr)];
|
2013-11-26 05:05:00 +01:00
|
|
|
sprintf(buf, "%u", vtnr);
|
2011-07-26 23:09:34 +02:00
|
|
|
|
2018-07-20 11:27:55 +02:00
|
|
|
r = update_environment(handle, "XDG_VTNR", buf);
|
|
|
|
|
if (r != PAM_SUCCESS)
|
2013-11-06 23:24:16 +01:00
|
|
|
return r;
|
2011-07-26 23:09:34 +02:00
|
|
|
}
|
|
|
|
|
|
2012-10-16 19:21:21 +02:00
|
|
|
r = pam_set_data(handle, "systemd.existing", INT_TO_PTR(!!existing), NULL);
|
|
|
|
|
if (r != PAM_SUCCESS) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to install existing flag.");
|
2013-11-06 23:24:16 +01:00
|
|
|
return r;
|
2012-10-16 19:21:21 +02:00
|
|
|
}
|
|
|
|
|
|
2011-06-24 22:55:39 +02:00
|
|
|
if (session_fd >= 0) {
|
2014-05-13 16:35:34 +02:00
|
|
|
session_fd = fcntl(session_fd, F_DUPFD_CLOEXEC, 3);
|
2013-11-06 23:24:16 +01:00
|
|
|
if (session_fd < 0) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to dup session fd: %m");
|
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-17 00:51:24 +01:00
|
|
|
r = pam_set_data(handle, "systemd.session-fd", FD_TO_PTR(session_fd), NULL);
|
2011-06-24 22:55:39 +02:00
|
|
|
if (r != PAM_SUCCESS) {
|
|
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to install session fd.");
|
2014-03-18 19:22:43 +01:00
|
|
|
safe_close(session_fd);
|
2013-11-06 23:24:16 +01:00
|
|
|
return r;
|
2011-06-24 22:55:39 +02:00
|
|
|
}
|
2011-06-24 18:50:50 +02:00
|
|
|
}
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
return PAM_SUCCESS;
|
2011-06-24 18:50:50 +02:00
|
|
|
}
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2011-06-24 18:50:50 +02:00
|
|
|
_public_ PAM_EXTERN int pam_sm_close_session(
|
|
|
|
|
pam_handle_t *handle,
|
|
|
|
|
int flags,
|
|
|
|
|
int argc, const char **argv) {
|
2010-06-21 23:27:18 +02:00
|
|
|
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
|
|
|
|
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
|
2014-02-06 18:32:14 +01:00
|
|
|
const void *existing = NULL;
|
2012-03-22 02:06:40 +01:00
|
|
|
const char *id;
|
|
|
|
|
int r;
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
assert(handle);
|
2012-03-22 02:06:40 +01:00
|
|
|
|
2012-10-16 19:21:21 +02:00
|
|
|
/* Only release session if it wasn't pre-existing when we
|
|
|
|
|
* tried to create it */
|
2018-07-20 11:43:38 +02:00
|
|
|
(void) pam_get_data(handle, "systemd.existing", &existing);
|
2012-10-16 19:21:21 +02:00
|
|
|
|
2012-03-22 02:06:40 +01:00
|
|
|
id = pam_getenv(handle, "XDG_SESSION_ID");
|
2012-10-16 19:21:21 +02:00
|
|
|
if (id && !existing) {
|
2012-03-22 02:06:40 +01:00
|
|
|
|
|
|
|
|
/* Before we go and close the FIFO we need to tell
|
|
|
|
|
* logind that this is a clean session shutdown, so
|
|
|
|
|
* that it doesn't just go and slaughter us
|
|
|
|
|
* immediately after closing the fd */
|
|
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
r = sd_bus_open_system(&bus);
|
|
|
|
|
if (r < 0) {
|
2014-02-06 18:32:14 +01:00
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to connect to system bus: %s", strerror(-r));
|
|
|
|
|
return PAM_SESSION_ERR;
|
2012-03-22 02:06:40 +01:00
|
|
|
}
|
|
|
|
|
|
2013-11-05 06:01:12 +01:00
|
|
|
r = sd_bus_call_method(bus,
|
|
|
|
|
"org.freedesktop.login1",
|
|
|
|
|
"/org/freedesktop/login1",
|
|
|
|
|
"org.freedesktop.login1.Manager",
|
|
|
|
|
"ReleaseSession",
|
|
|
|
|
&error,
|
|
|
|
|
NULL,
|
|
|
|
|
"s",
|
|
|
|
|
id);
|
|
|
|
|
if (r < 0) {
|
2014-02-06 18:32:14 +01:00
|
|
|
pam_syslog(handle, LOG_ERR, "Failed to release session: %s", bus_error_message(&error, r));
|
|
|
|
|
return PAM_SESSION_ERR;
|
2012-03-22 02:06:40 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-02-06 18:32:14 +01:00
|
|
|
/* Note that we are knowingly leaking the FIFO fd here. This
|
|
|
|
|
* way, logind can watch us die. If we closed it here it would
|
|
|
|
|
* not have any clue when that is completed. Given that one
|
|
|
|
|
* cannot really have multiple PAM sessions open from the same
|
|
|
|
|
* process this means we will leak one FD at max. */
|
2012-03-22 02:06:40 +01:00
|
|
|
|
2014-02-06 18:32:14 +01:00
|
|
|
return PAM_SUCCESS;
|
2010-06-21 23:27:18 +02:00
|
|
|
}
|