diff options
author | David Herrmann <dh.herrmann@gmail.com> | 2015-09-23 00:51:20 +0200 |
---|---|---|
committer | David Herrmann <dh.herrmann@gmail.com> | 2015-09-23 00:51:20 +0200 |
commit | 2d7c6aa20cef0128e7a90c4da3d3519ed5c6b0f3 (patch) | |
tree | 180deba3d9fa1352fb7b6a56ff8c677c7b23c88e /TODO | |
parent | 3c0fffb74ef7ea572182d9637847e950e9a3a922 (diff) |
core: make setup_pam() synchronous
If we spawn a unit with a non-empty 'PAMName=', we fork off a
child-process _inside_ the unit, known as '(sd-pam)', which watches the
session. It waits for the main-process to exit and then finishes it via
pam_close_session(3).
However, the '(sd-pam)' setup is highly asynchronous. There is no
guarantee that process gets spawned before we finish the unit setup.
Therefore, there might be a root-owned process inside of the cgroup of
the unit, thus causing cg_migrate() to error-out with EPERM.
This patch makes setup_pam() synchronous and waits for the '(sd-pam)'
setup to finish before continuing. This guarantees that setresuid(2) was
at least tried before we continue with the child setup of the real unit.
Note that if setresuid(2) fails, we already warn loudly about it. You
really must make sure that you own the passed user if using 'PAMName='.
It seems very plausible to rely on that assumption.
Diffstat (limited to 'TODO')
0 files changed, 0 insertions, 0 deletions