picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pam: optionally keep processes of root user around

This commit is contained in:
Lennart Poettering 2011-01-18 23:07:06 +01:00
parent d8cfa08589
commit 3add4d215b
3 changed files with 31 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
TODO
View File

@ -4,8 +4,6 @@
* figure out what happened to bluez patch
* in pam_systemd: add option to kill normal user sessions on logout but only those with uid != 0
* introduce StandardOutput=syslog+console and StandardOutput=kmsg+console to support fsck output at boot
* Patch systemd-fsck to use -C and pass console fd to it

17
man/pam_systemd.xml
View File

@ -201,6 +201,20 @@
logout.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>keep-root=</option></term>
<listitem><para>Takes a boolean
argument. If true, all processes
created by the root user (UID 0) during his
session and from his session will be
kept around after he logged out. This
option allows cancelling the effect of
<option>kill-session=1</option> and
<option>kill-user=1</option> for the
root user.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>controllers=</option></term>
@ -230,7 +244,8 @@
<para>If the options are omitted they default to
<option>create-session=1</option>,
<option>kill-session=0</option>,
<option>kill-user=0</option>.</para>
<option>kill-user=0</option>,
<option>keep-root=1</option>.</para>
</refsect1>
<refsect1>

19
src/pam-module.c
View File

@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle,
bool *create_session,
bool *kill_session,
bool *kill_user,
bool *keep_root,
char ***controllers) {
unsigned i;
@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle,
if (kill_user)
*kill_user = k;
} else if (startswith(argv[i], "keep-root=")) {
if ((k = parse_boolean(argv[i] + 10)) < 0) {
pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument.");
return k;
}
if (keep_root)
*keep_root = k;
} else if (startswith(argv[i], "controllers=")) {
if (controllers) {
@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
if (sd_booted() <= 0)
return PAM_SUCCESS;
if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0)
if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0)
return PAM_SESSION_ERR;
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
const char *username = NULL;
bool kill_session = false;
bool kill_user = false;
bool keep_root = true;
int lock_fd = -1, r;
char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
const char *id;
@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
if (sd_booted() <= 0)
return PAM_SUCCESS;
if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0)
if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0)
return PAM_SESSION_ERR;
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
goto finish;
}
if (kill_session) {
if (kill_session && (pw->pw_uid != 0 || !keep_root)) {
pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
/* Kill processes in session cgroup, and delete it */
@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
/* Kill user processes not attached to any session */
if (kill_user && r == 0) {
if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) {
/* Kill user cgroup */
if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)