From 672c48cc065251ddbdc3926221e8a7718241cccd Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 21 Jul 2010 04:32:44 +0200 Subject: [PATCH] pam: remove only sessions we ourselves created in the first place --- src/cgroup-util.c | 20 ++++++++++++++++---- src/log.c | 2 +- src/pam-module.c | 34 +++++++++++++++++++++++++++------- 3 files changed, 44 insertions(+), 12 deletions(-) diff --git a/src/cgroup-util.c b/src/cgroup-util.c index 828b3041..2f3fcb59 100644 --- a/src/cgroup-util.c +++ b/src/cgroup-util.c @@ -25,6 +25,8 @@ #include #include #include +#include +#include #include "cgroup-util.h" #include "log.h" @@ -546,7 +548,17 @@ int cg_create(const char *controller, const char *path) { if ((r = cg_get_path(controller, path, NULL, &fs)) < 0) return r; - r = mkdir_p(fs, 0755); + r = mkdir_parents(fs, 0755); + + if (r >= 0) { + if (mkdir(fs, 0755) >= 0) + r = 1; + else if (errno == EEXIST) + r = 0; + else + r = -errno; + } + free(fs); return r; @@ -577,7 +589,7 @@ int cg_attach(const char *controller, const char *path, pid_t pid) { } int cg_create_and_attach(const char *controller, const char *path, pid_t pid) { - int r; + int r, q; assert(controller); assert(path); @@ -586,8 +598,8 @@ int cg_create_and_attach(const char *controller, const char *path, pid_t pid) { if ((r = cg_create(controller, path)) < 0) return r; - if ((r = cg_attach(controller, path, pid)) < 0) - return r; + if ((q = cg_attach(controller, path, pid)) < 0) + return q; /* This does not remove the cgroup on failure */ diff --git a/src/log.c b/src/log.c index e67a5b3b..28bfb9a1 100644 --- a/src/log.c +++ b/src/log.c @@ -279,7 +279,7 @@ static int write_to_syslog( msghdr.msg_iov = iovec; msghdr.msg_iovlen = ELEMENTSOF(iovec); - if (sendmsg(syslog_fd, &msghdr, 0) < 0) + if (sendmsg(syslog_fd, &msghdr, MSG_NOSIGNAL) < 0) return -errno; return 1; diff --git a/src/pam-module.c b/src/pam-module.c index e5652acb..f668c3b3 100644 --- a/src/pam-module.c +++ b/src/pam-module.c @@ -208,7 +208,7 @@ static int get_user_data( return PAM_SUCCESS; } -static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach) { +static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach, bool remember) { int r; assert(handle); @@ -224,6 +224,17 @@ static int create_user_group(pam_handle_t *handle, const char *group, struct pas return PAM_SESSION_ERR; } + if (r > 0 && remember) { + /* Remember that it was us who created this group, and + * that hence we need to remove it too. This is a + * protection against removing the cgroup when run + * recursively. */ + if ((r = pam_set_data(handle, "systemd.created", INT_TO_PTR(1), NULL)) != PAM_SUCCESS) { + pam_syslog(handle, LOG_ERR, "Failed to install created variable."); + return r; + } + } + if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 || (r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) { pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r)); @@ -247,7 +258,7 @@ _public_ PAM_EXTERN int pam_sm_open_session( assert(handle); - pam_syslog(handle, LOG_INFO, "pam-systemd initializing"); + /* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */ if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0) return PAM_SESSION_ERR; @@ -331,7 +342,9 @@ _public_ PAM_EXTERN int pam_sm_open_session( goto finish; } - if ((r = create_user_group(handle, buf, pw, true)) != PAM_SUCCESS) + pam_syslog(handle, LOG_INFO, "Moving new user session for %s into control group %s.", username, buf); + + if ((r = create_user_group(handle, buf, pw, true, true)) != PAM_SUCCESS) goto finish; r = PAM_SUCCESS; @@ -383,6 +396,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( char *session_path = NULL, *nosession_path = NULL, *user_path = NULL; const char *id; struct passwd *pw; + const void *created = NULL; assert(handle); @@ -411,7 +425,9 @@ _public_ PAM_EXTERN int pam_sm_close_session( goto finish; } - if ((id = pam_getenv(handle, "XDG_SESSION_ID"))) { + pam_get_data(handle, "systemd.created", &created); + + if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) { if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 || asprintf(&nosession_path, "/user/%s/no-session", username) < 0) { @@ -420,15 +436,19 @@ _public_ PAM_EXTERN int pam_sm_close_session( } if (kill_session) { + pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username); + /* Kill processes in session cgroup, and delete it */ if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0) pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r)); } else { + pam_syslog(handle, LOG_INFO, "Moving remaining processes of user session %s of %s into control group %s.", id, username, nosession_path); + /* Migrate processes from session to * no-session cgroup. First, try to create the * no-session group in case it doesn't exist * yet. Also, delete the session group. */ - create_user_group(handle, nosession_path, pw, 0); + create_user_group(handle, nosession_path, pw, false, false); if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0) pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r)); @@ -465,13 +485,13 @@ _public_ PAM_EXTERN int pam_sm_close_session( if (r >= 0) { const char *runtime_dir; - /* This will migrate us to the /user cgroup. */ - if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR"))) if ((r = rm_rf(runtime_dir, false, true)) < 0) pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r)); } + /* pam_syslog(handle, LOG_DEBUG, "pam-systemd done"); */ + r = PAM_SUCCESS; finish: -- 2.39.5