pam: optionally keep processes of root user around
This commit is contained in:
parent
d8cfa08589
commit
3add4d215b
2
TODO
2
TODO
|
@ -4,8 +4,6 @@
|
|||
|
||||
* figure out what happened to bluez patch
|
||||
|
||||
* in pam_systemd: add option to kill normal user sessions on logout but only those with uid != 0
|
||||
|
||||
* introduce StandardOutput=syslog+console and StandardOutput=kmsg+console to support fsck output at boot
|
||||
|
||||
* Patch systemd-fsck to use -C and pass console fd to it
|
||||
|
|
|
@ -201,6 +201,20 @@
|
|||
logout.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>keep-root=</option></term>
|
||||
|
||||
<listitem><para>Takes a boolean
|
||||
argument. If true, all processes
|
||||
created by the root user (UID 0) during his
|
||||
session and from his session will be
|
||||
kept around after he logged out. This
|
||||
option allows cancelling the effect of
|
||||
<option>kill-session=1</option> and
|
||||
<option>kill-user=1</option> for the
|
||||
root user.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>controllers=</option></term>
|
||||
|
||||
|
@ -230,7 +244,8 @@
|
|||
<para>If the options are omitted they default to
|
||||
<option>create-session=1</option>,
|
||||
<option>kill-session=0</option>,
|
||||
<option>kill-user=0</option>.</para>
|
||||
<option>kill-user=0</option>,
|
||||
<option>keep-root=1</option>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
|
|
@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle,
|
|||
bool *create_session,
|
||||
bool *kill_session,
|
||||
bool *kill_user,
|
||||
bool *keep_root,
|
||||
char ***controllers) {
|
||||
|
||||
unsigned i;
|
||||
|
@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle,
|
|||
if (kill_user)
|
||||
*kill_user = k;
|
||||
|
||||
} else if (startswith(argv[i], "keep-root=")) {
|
||||
if ((k = parse_boolean(argv[i] + 10)) < 0) {
|
||||
pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument.");
|
||||
return k;
|
||||
}
|
||||
|
||||
if (keep_root)
|
||||
*keep_root = k;
|
||||
|
||||
} else if (startswith(argv[i], "controllers=")) {
|
||||
|
||||
if (controllers) {
|
||||
|
@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
|
|||
if (sd_booted() <= 0)
|
||||
return PAM_SUCCESS;
|
||||
|
||||
if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0)
|
||||
if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0)
|
||||
return PAM_SESSION_ERR;
|
||||
|
||||
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
|
||||
|
@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
|
|||
const char *username = NULL;
|
||||
bool kill_session = false;
|
||||
bool kill_user = false;
|
||||
bool keep_root = true;
|
||||
int lock_fd = -1, r;
|
||||
char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
|
||||
const char *id;
|
||||
|
@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
|
|||
if (sd_booted() <= 0)
|
||||
return PAM_SUCCESS;
|
||||
|
||||
if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0)
|
||||
if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0)
|
||||
return PAM_SESSION_ERR;
|
||||
|
||||
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
|
||||
|
@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
|
|||
goto finish;
|
||||
}
|
||||
|
||||
if (kill_session) {
|
||||
if (kill_session && (pw->pw_uid != 0 || !keep_root)) {
|
||||
pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
|
||||
|
||||
/* Kill processes in session cgroup, and delete it */
|
||||
|
@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
|
|||
pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
|
||||
|
||||
/* Kill user processes not attached to any session */
|
||||
if (kill_user && r == 0) {
|
||||
if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) {
|
||||
|
||||
/* Kill user cgroup */
|
||||
if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
|
||||
|
|
Loading…
Reference in New Issue