picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pam: remove only sessions we ourselves created in the first place

This commit is contained in:
Lennart Poettering 2010-07-21 04:32:44 +02:00
parent 294d81f124
commit 672c48cc06
3 changed files with 44 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/cgroup-util.c
View File

@ -25,6 +25,8 @@
#include <string.h> #include <string.h>
#include <stdlib.h> #include <stdlib.h>
#include <dirent.h> #include <dirent.h>
#include <sys/stat.h>
#include <sys/types.h>
#include "cgroup-util.h" #include "cgroup-util.h"
#include "log.h" #include "log.h"
@ -546,7 +548,17 @@ int cg_create(const char *controller, const char *path) {
if ((r = cg_get_path(controller, path, NULL, &fs)) < 0) if ((r = cg_get_path(controller, path, NULL, &fs)) < 0)
return r; return r;
r = mkdir_p(fs, 0755); r = mkdir_parents(fs, 0755);
if (r >= 0) {
if (mkdir(fs, 0755) >= 0)
r = 1;
else if (errno == EEXIST)
r = 0;
else
r = -errno;
}
free(fs); free(fs);
return r; return r;
@ -577,7 +589,7 @@ int cg_attach(const char *controller, const char *path, pid_t pid) {
} }
int cg_create_and_attach(const char *controller, const char *path, pid_t pid) { int cg_create_and_attach(const char *controller, const char *path, pid_t pid) {
int r; int r, q;
assert(controller); assert(controller);
assert(path); assert(path);
@ -586,8 +598,8 @@ int cg_create_and_attach(const char *controller, const char *path, pid_t pid) {
if ((r = cg_create(controller, path)) < 0) if ((r = cg_create(controller, path)) < 0)
return r; return r;
if ((r = cg_attach(controller, path, pid)) < 0) if ((q = cg_attach(controller, path, pid)) < 0)
return r; return q;
/* This does not remove the cgroup on failure */ /* This does not remove the cgroup on failure */

2
src/log.c
View File

@ -279,7 +279,7 @@ static int write_to_syslog(
msghdr.msg_iov = iovec; msghdr.msg_iov = iovec;
msghdr.msg_iovlen = ELEMENTSOF(iovec); msghdr.msg_iovlen = ELEMENTSOF(iovec);
if (sendmsg(syslog_fd, &msghdr, 0) < 0) if (sendmsg(syslog_fd, &msghdr, MSG_NOSIGNAL) < 0)
return -errno; return -errno;
return 1; return 1;

34
src/pam-module.c
View File

@ -208,7 +208,7 @@ static int get_user_data(
return PAM_SUCCESS; return PAM_SUCCESS;
} }
static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach) { static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach, bool remember) {
int r; int r;
assert(handle); assert(handle);
@ -224,6 +224,17 @@ static int create_user_group(pam_handle_t *handle, const char *group, struct pas
return PAM_SESSION_ERR; return PAM_SESSION_ERR;
} }
if (r > 0 && remember) {
/* Remember that it was us who created this group, and
* that hence we need to remove it too. This is a
* protection against removing the cgroup when run
* recursively. */
if ((r = pam_set_data(handle, "systemd.created", INT_TO_PTR(1), NULL)) != PAM_SUCCESS) {
pam_syslog(handle, LOG_ERR, "Failed to install created variable.");
return r;
}
}
if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 || if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 ||
(r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) { (r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) {
pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r)); pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r));
@ -247,7 +258,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
assert(handle); assert(handle);
pam_syslog(handle, LOG_INFO, "pam-systemd initializing"); /* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */
if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0) if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0)
return PAM_SESSION_ERR; return PAM_SESSION_ERR;
@ -331,7 +342,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
goto finish; goto finish;
} }
if ((r = create_user_group(handle, buf, pw, true)) != PAM_SUCCESS) pam_syslog(handle, LOG_INFO, "Moving new user session for %s into control group %s.", username, buf);
if ((r = create_user_group(handle, buf, pw, true, true)) != PAM_SUCCESS)
goto finish; goto finish;
r = PAM_SUCCESS; r = PAM_SUCCESS;
@ -383,6 +396,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
char *session_path = NULL, *nosession_path = NULL, *user_path = NULL; char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
const char *id; const char *id;
struct passwd *pw; struct passwd *pw;
const void *created = NULL;
assert(handle); assert(handle);
@ -411,7 +425,9 @@ _public_ PAM_EXTERN int pam_sm_close_session(
goto finish; goto finish;
} }
if ((id = pam_getenv(handle, "XDG_SESSION_ID"))) { pam_get_data(handle, "systemd.created", &created);
if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) {
if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 || if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 ||
asprintf(&nosession_path, "/user/%s/no-session", username) < 0) { asprintf(&nosession_path, "/user/%s/no-session", username) < 0) {
@ -420,15 +436,19 @@ _public_ PAM_EXTERN int pam_sm_close_session(
} }
if (kill_session) { if (kill_session) {
pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
/* Kill processes in session cgroup, and delete it */ /* Kill processes in session cgroup, and delete it */
if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0) if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0)
pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r)); pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r));
} else { } else {
pam_syslog(handle, LOG_INFO, "Moving remaining processes of user session %s of %s into control group %s.", id, username, nosession_path);
/* Migrate processes from session to /* Migrate processes from session to
* no-session cgroup. First, try to create the * no-session cgroup. First, try to create the
* no-session group in case it doesn't exist * no-session group in case it doesn't exist
* yet. Also, delete the session group. */ * yet. Also, delete the session group. */
create_user_group(handle, nosession_path, pw, 0); create_user_group(handle, nosession_path, pw, false, false);
if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0) if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0)
pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r)); pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r));
@ -465,13 +485,13 @@ _public_ PAM_EXTERN int pam_sm_close_session(
if (r >= 0) { if (r >= 0) {
const char *runtime_dir; const char *runtime_dir;
/* This will migrate us to the /user cgroup. */
if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR"))) if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR")))
if ((r = rm_rf(runtime_dir, false, true)) < 0) if ((r = rm_rf(runtime_dir, false, true)) < 0)
pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r)); pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r));
} }
/* pam_syslog(handle, LOG_DEBUG, "pam-systemd done"); */
r = PAM_SUCCESS; r = PAM_SUCCESS;
finish: finish: