summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--TODO2
-rw-r--r--man/pam_systemd.xml17
-rw-r--r--src/pam-module.c19
3 files changed, 31 insertions, 7 deletions
diff --git a/TODO b/TODO
index 61a8cfcdd1..48f4628abf 100644
--- a/TODO
+++ b/TODO
@@ -4,8 +4,6 @@
* figure out what happened to bluez patch
-* in pam_systemd: add option to kill normal user sessions on logout but only those with uid != 0
-
* introduce StandardOutput=syslog+console and StandardOutput=kmsg+console to support fsck output at boot
* Patch systemd-fsck to use -C and pass console fd to it
diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml
index cd806da931..eddd8e003f 100644
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@@ -202,6 +202,20 @@
</varlistentry>
<varlistentry>
+ <term><option>keep-root=</option></term>
+
+ <listitem><para>Takes a boolean
+ argument. If true, all processes
+ created by the root user (UID 0) during his
+ session and from his session will be
+ kept around after he logged out. This
+ option allows cancelling the effect of
+ <option>kill-session=1</option> and
+ <option>kill-user=1</option> for the
+ root user.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>controllers=</option></term>
<listitem><para>Takes a comma
@@ -230,7 +244,8 @@
<para>If the options are omitted they default to
<option>create-session=1</option>,
<option>kill-session=0</option>,
- <option>kill-user=0</option>.</para>
+ <option>kill-user=0</option>,
+ <option>keep-root=1</option>.</para>
</refsect1>
<refsect1>
diff --git a/src/pam-module.c b/src/pam-module.c
index 6fbaecf51d..52507a4cbd 100644
--- a/src/pam-module.c
+++ b/src/pam-module.c
@@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle,
bool *create_session,
bool *kill_session,
bool *kill_user,
+ bool *keep_root,
char ***controllers) {
unsigned i;
@@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle,
if (kill_user)
*kill_user = k;
+ } else if (startswith(argv[i], "keep-root=")) {
+ if ((k = parse_boolean(argv[i] + 10)) < 0) {
+ pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument.");
+ return k;
+ }
+
+ if (keep_root)
+ *keep_root = k;
+
} else if (startswith(argv[i], "controllers=")) {
if (controllers) {
@@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
if (sd_booted() <= 0)
return PAM_SUCCESS;
- if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0)
+ if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0)
return PAM_SESSION_ERR;
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
const char *username = NULL;
bool kill_session = false;
bool kill_user = false;
+ bool keep_root = true;
int lock_fd = -1, r;
char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
const char *id;
@@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
if (sd_booted() <= 0)
return PAM_SUCCESS;
- if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0)
+ if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0)
return PAM_SESSION_ERR;
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
@@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
goto finish;
}
- if (kill_session) {
+ if (kill_session && (pw->pw_uid != 0 || !keep_root)) {
pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
/* Kill processes in session cgroup, and delete it */
@@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
/* Kill user processes not attached to any session */
- if (kill_user && r == 0) {
+ if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) {
/* Kill user cgroup */
if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)