summaryrefslogtreecommitdiffstats
path: root/0268-pam_systemd-do-not-set-XDG_RUNTIME_DIR-if-the-sessio.patch
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2014-03-01 14:48:48 -0500
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2014-03-05 01:23:25 -0500
commita52f6741bd20d8383d75ad852a37699fbfb4b896 (patch)
tree84bf5a47f74f9747f36ce28756eb50568176948e /0268-pam_systemd-do-not-set-XDG_RUNTIME_DIR-if-the-sessio.patch
parentd16d0a5ab39fefe53d7d4a59af304971e4f1aba1 (diff)
downloadsystemd-a52f6741bd20d8383d75ad852a37699fbfb4b896.zip
systemd-a52f6741bd20d8383d75ad852a37699fbfb4b896.tar.gz
systemd-a52f6741bd20d8383d75ad852a37699fbfb4b896.tar.xz
Backport a bunch of fixes and small features
Diffstat (limited to '0268-pam_systemd-do-not-set-XDG_RUNTIME_DIR-if-the-sessio.patch')
-rw-r--r--0268-pam_systemd-do-not-set-XDG_RUNTIME_DIR-if-the-sessio.patch198
1 files changed, 198 insertions, 0 deletions
diff --git a/0268-pam_systemd-do-not-set-XDG_RUNTIME_DIR-if-the-sessio.patch b/0268-pam_systemd-do-not-set-XDG_RUNTIME_DIR-if-the-sessio.patch
new file mode 100644
index 0000000..74a376c
--- /dev/null
+++ b/0268-pam_systemd-do-not-set-XDG_RUNTIME_DIR-if-the-sessio.patch
@@ -0,0 +1,198 @@
+From 4ae930d9ddb8d2f806f89068142f4e7cd4df85e6 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 26 Nov 2013 05:05:00 +0100
+Subject: [PATCH] pam_systemd: do not set XDG_RUNTIME_DIR if the session's
+ original user is not the same as the newly logged in one
+
+It's better not to set any XDG_RUNTIME_DIR at all rather than one of a
+different user. So let's do this.
+
+This changes the bus call parameters of CreateSession(), but that is
+explicitly an internal API hence should be fine. Note however, that a
+logind restart (the way the RPM postinst scriptlets do it) is necessary
+to make things work again.
+
+(cherry picked from commit baae0358f349870544884e405e82e4be7d8add9f)
+
+Conflicts:
+ src/login/logind-dbus.c
+ src/login/logind-session-dbus.c
+ src/login/pam-module.c
+
+Note: Backported by Dr. Werner Fink <werner@suse.de>
+---
+ src/login/logind-dbus.c | 1 +
+ src/login/logind-session-dbus.c | 1 +
+ src/login/pam-module.c | 67 ++++++++++++++++++++++-------------------
+ 3 files changed, 38 insertions(+), 31 deletions(-)
+
+diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
+index 583d62e..6f3e442 100644
+--- a/src/login/logind-dbus.c
++++ b/src/login/logind-dbus.c
+@@ -523,6 +523,7 @@ static int bus_manager_create_session(Manager *m, DBusMessage *message) {
+ DBUS_TYPE_OBJECT_PATH, &path,
+ DBUS_TYPE_STRING, &session->user->runtime_path,
+ DBUS_TYPE_UNIX_FD, &fifo_fd,
++ DBUS_TYPE_UINT32, &session->user->uid,
+ DBUS_TYPE_STRING, &cseat,
+ DBUS_TYPE_UINT32, &vtnr,
+ DBUS_TYPE_BOOLEAN, &exists,
+diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c
+index be4e01c..86b0746 100644
+--- a/src/login/logind-session-dbus.c
++++ b/src/login/logind-session-dbus.c
+@@ -755,6 +755,7 @@ int session_send_create_reply(Session *s, DBusError *error) {
+ DBUS_TYPE_OBJECT_PATH, &path,
+ DBUS_TYPE_STRING, &s->user->runtime_path,
+ DBUS_TYPE_UNIX_FD, &fifo_fd,
++ DBUS_TYPE_UINT32, &s->user->uid,
+ DBUS_TYPE_STRING, &cseat,
+ DBUS_TYPE_UINT32, &vtnr,
+ DBUS_TYPE_BOOLEAN, &exists,
+diff --git a/src/login/pam-module.c b/src/login/pam-module.c
+index aa09ec1..4d6b052 100644
+--- a/src/login/pam-module.c
++++ b/src/login/pam-module.c
+@@ -86,31 +86,24 @@ static int get_user_data(
+
+ const char *username = NULL;
+ struct passwd *pw = NULL;
+- uid_t uid;
+ int r;
+
+ assert(handle);
+ assert(ret_username);
+ assert(ret_pw);
+
+- r = audit_loginuid_from_pid(0, &uid);
+- if (r >= 0)
+- pw = pam_modutil_getpwuid(handle, uid);
+- else {
+- r = pam_get_user(handle, &username, NULL);
+- if (r != PAM_SUCCESS) {
+- pam_syslog(handle, LOG_ERR, "Failed to get user name.");
+- return r;
+- }
+-
+- if (isempty(username)) {
+- pam_syslog(handle, LOG_ERR, "User name not valid.");
+- return PAM_AUTH_ERR;
+- }
++ r = pam_get_user(handle, &username, NULL);
++ if (r != PAM_SUCCESS) {
++ pam_syslog(handle, LOG_ERR, "Failed to get user name.");
++ return r;
++ }
+
+- pw = pam_modutil_getpwnam(handle, username);
++ if (isempty(username)) {
++ pam_syslog(handle, LOG_ERR, "User name not valid.");
++ return PAM_AUTH_ERR;
+ }
+
++ pw = pam_modutil_getpwnam(handle, username);
+ if (!pw) {
+ pam_syslog(handle, LOG_ERR, "Failed to get user data.");
+ return PAM_USER_UNKNOWN;
+@@ -123,16 +116,14 @@ static int get_user_data(
+ }
+
+ static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
+- _cleanup_free_ char *p = NULL;
+- int r;
+- _cleanup_close_ int fd = -1;
+ union sockaddr_union sa = {
+ .un.sun_family = AF_UNIX,
+ };
++ _cleanup_free_ char *p = NULL, *tty = NULL;
++ _cleanup_close_ int fd = -1;
+ struct ucred ucred;
+ socklen_t l;
+- _cleanup_free_ char *tty = NULL;
+- int v;
++ int v, r;
+
+ assert(display);
+ assert(vtnr);
+@@ -194,14 +185,12 @@ _public_ PAM_EXTERN int pam_sm_open_session(
+ dbus_bool_t remote, existing;
+ int r;
+ uint32_t vtnr = 0;
++ uid_t original_uid;
+
+ assert(handle);
+
+ dbus_error_init(&error);
+
+- if (debug)
+- pam_syslog(handle, LOG_INFO, "pam-systemd initializing");
+-
+ /* Make this a NOP on non-logind systems */
+ if (!logind_running())
+ return PAM_SUCCESS;
+@@ -214,6 +203,9 @@ _public_ PAM_EXTERN int pam_sm_open_session(
+ goto finish;
+ }
+
++ if (debug)
++ pam_syslog(handle, LOG_INFO, "pam-systemd initializing");
++
+ r = get_user_data(handle, &username, &pw);
+ if (r != PAM_SUCCESS)
+ goto finish;
+@@ -381,7 +373,11 @@ _public_ PAM_EXTERN int pam_sm_open_session(
+ if (debug)
+ pam_syslog(handle, LOG_DEBUG, "Asking logind to create session: "
+ "uid=%u pid=%u service=%s type=%s class=%s seat=%s vtnr=%u tty=%s display=%s remote=%s remote_user=%s remote_host=%s",
+- uid, pid, service, type, class, seat, vtnr, tty, display, yes_no(remote), remote_user, remote_host);
++ pw->pw_uid, pid,
++ strempty(service),
++ type, class,
++ seat, vtnr, tty, display,
++ yes_no(remote), remote_user, remote_host);
+
+ reply = dbus_connection_send_with_reply_and_block(bus, m, -1, &error);
+ if (!reply) {
+@@ -395,6 +391,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
+ DBUS_TYPE_OBJECT_PATH, &object_path,
+ DBUS_TYPE_STRING, &runtime_path,
+ DBUS_TYPE_UNIX_FD, &session_fd,
++ DBUS_TYPE_UINT32, &original_uid,
+ DBUS_TYPE_STRING, &seat,
+ DBUS_TYPE_UINT32, &vtnr,
+ DBUS_TYPE_BOOLEAN, &existing,
+@@ -406,8 +403,8 @@ _public_ PAM_EXTERN int pam_sm_open_session(
+
+ if (debug)
+ pam_syslog(handle, LOG_DEBUG, "Reply from logind: "
+- "id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u",
+- id, object_path, runtime_path, session_fd, seat, vtnr);
++ "id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u original_uid=%u",
++ id, object_path, runtime_path, session_fd, seat, vtnr, original_uid);
+
+ r = pam_misc_setenv(handle, "XDG_SESSION_ID", id, 0);
+ if (r != PAM_SUCCESS) {
+@@ -415,10 +412,18 @@ _public_ PAM_EXTERN int pam_sm_open_session(
+ goto finish;
+ }
+
+- r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", runtime_path, 0);
+- if (r != PAM_SUCCESS) {
+- pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
+- goto finish;
++ if (original_uid == pw->pw_uid) {
++ /* Don't set $XDG_RUNTIME_DIR if the user we now
++ * authenticated for does not match the original user
++ * of the session. We do this in order not to result
++ * in privileged apps clobbering the runtime directory
++ * unnecessarily. */
++
++ r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", runtime_path, 0);
++ if (r != PAM_SUCCESS) {
++ pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
++ goto finish;
++ }
+ }
+
+ if (!isempty(seat)) {