diff options
-rw-r--r-- | TODO | 2 | ||||
-rw-r--r-- | man/pam_systemd.xml | 17 | ||||
-rw-r--r-- | src/pam-module.c | 19 |
3 files changed, 31 insertions, 7 deletions
@@ -4,8 +4,6 @@ * figure out what happened to bluez patch -* in pam_systemd: add option to kill normal user sessions on logout but only those with uid != 0 - * introduce StandardOutput=syslog+console and StandardOutput=kmsg+console to support fsck output at boot * Patch systemd-fsck to use -C and pass console fd to it diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index cd806da931..eddd8e003f 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -202,6 +202,20 @@ </varlistentry> <varlistentry> + <term><option>keep-root=</option></term> + + <listitem><para>Takes a boolean + argument. If true, all processes + created by the root user (UID 0) during his + session and from his session will be + kept around after he logged out. This + option allows cancelling the effect of + <option>kill-session=1</option> and + <option>kill-user=1</option> for the + root user.</para></listitem> + </varlistentry> + + <varlistentry> <term><option>controllers=</option></term> <listitem><para>Takes a comma @@ -230,7 +244,8 @@ <para>If the options are omitted they default to <option>create-session=1</option>, <option>kill-session=0</option>, - <option>kill-user=0</option>.</para> + <option>kill-user=0</option>, + <option>keep-root=1</option>.</para> </refsect1> <refsect1> diff --git a/src/pam-module.c b/src/pam-module.c index 6fbaecf51d..52507a4cbd 100644 --- a/src/pam-module.c +++ b/src/pam-module.c @@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle, bool *create_session, bool *kill_session, bool *kill_user, + bool *keep_root, char ***controllers) { unsigned i; @@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle, if (kill_user) *kill_user = k; + } else if (startswith(argv[i], "keep-root=")) { + if ((k = parse_boolean(argv[i] + 10)) < 0) { + pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument."); + return k; + } + + if (keep_root) + *keep_root = k; + } else if (startswith(argv[i], "controllers=")) { if (controllers) { @@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session( if (sd_booted() <= 0) return PAM_SUCCESS; - if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0) + if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0) return PAM_SESSION_ERR; if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS) @@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( const char *username = NULL; bool kill_session = false; bool kill_user = false; + bool keep_root = true; int lock_fd = -1, r; char *session_path = NULL, *nosession_path = NULL, *user_path = NULL; const char *id; @@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( if (sd_booted() <= 0) return PAM_SUCCESS; - if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0) + if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0) return PAM_SESSION_ERR; if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS) @@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( goto finish; } - if (kill_session) { + if (kill_session && (pw->pw_uid != 0 || !keep_root)) { pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username); /* Kill processes in session cgroup, and delete it */ @@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session( pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r)); /* Kill user processes not attached to any session */ - if (kill_user && r == 0) { + if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) { /* Kill user cgroup */ if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0) |