summaryrefslogtreecommitdiff
path: root/src/login
AgeCommit message (Collapse)Author
2013-12-10bus: introduce "trusted" bus concept and encode access control in object vtablesLennart Poettering
Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.
2013-12-08Help output spring cleaningZbigniew Jędrzejewski-Szmek
Use [brackets] only for optional elements. Use <optional> in XML sources.
2013-12-06Get rid of our reimplementation of basenameZbigniew Jędrzejewski-Szmek
The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.
2013-12-03bus: make sd_bus_request_name() and sd_bus_release_name() behave more like ↵Lennart Poettering
other calls Instead of returning an enum of return codes, make them return error codes like kdbus does internally. Also, document this behaviour so that clients can stick to it. (Also rework bus-control.c to always have to functions for dbus1 vs. kernel implementation of the various calls.)
2013-12-02Use assert_return in more of the public APIThomas Hindoe Paaboel Andersen
2013-12-01logind: fix "CanGraphical" attribute to return correct valueDavid Herrmann
We should return seat_can_graphical() instead of seat_can_tty() for the public dbus CanGraphical attribute. This used to work, but the dbus -> sd-bus conversion introduced this regression.
2013-11-30sysfs-show.c: return negative errorThomas Hindoe Paaboel Andersen
introduced in 1ca208fb4f93e5869704af1812cbff7130a2fc03
2013-11-28bus: add new sd_bus_creds object to encapsulate process credentialsLennart Poettering
This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.
2013-11-28logind: remove unused session->closing fieldDavid Herrmann
This field is always false, drop it. If you want a reliable way to get session state, call session_get_state(). Testing for any flags directly doesn't work currently so don't pretend it would.
2013-11-28logind: require VTs on seat0 and forbid elsewhereDavid Herrmann
Sessions on seat0 must pass us a vtnr, otherwise, you shouldn't try attaching it to seat0. For seats without VTs, we do the exact opposite: we forbid VTs. There can be odd situations if the session-files contain invalid combinations. However, we try to keep sessions alive and restore state as good as possible.
2013-11-28logind: make VT numbers unsignedDavid Herrmann
Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so we don't need negative numbers at all. Note that most code already assumes it's unsigned so in case there's a negative vtnr, our code may, under special circumstances, silently break. So this patch makes sure all sources of vtnrs verify the validity. Also note that the dbus api already uses unsigned ints.
2013-11-28logind: mute/restore VT on behalf of session controllersDavid Herrmann
If a session process calls TakeControl(), we now put the VT into KD_GRAPHICS+K_OFF mode. This way, the new session controller can solely rely on the logind-dbus API to manage the session. Once the controller exits or calls ReleaseControl(), we restore the VT. We also restore it, if we lost a controller during crash/restart (but only if there really *was* a controller previously). Note that we also must put the VT into VT_PROCESS mode. We want VT_AUTO semantics, but VT_AUTO+KD_GRAPHICS actually disables *all* VT switches (who came up with that great idea?). Hence, we set VT_PROCESS for logind but acknowledge *all* requests immediately. If a compositor wants custom VT setups, they can still get this by *first* calling TakeControl() and afterwards setting up the VT. logind doesn't touch the VT during controller runtime, only during setup/teardown. This is actually what weston already does.
2013-11-28logind: restore session-controller after crashDavid Herrmann
We now save the unique bus-name of a session-controller as CONTROLLER=%s in the session files. This allows us to restore the controller after a crash or restart. Note that we test whether the name is still valid (dbus guarantees that the name is unique as long as the machine is up and running). If it is, we know that the controller still exists and can safely restore it. Our dbus-name-tracking guarantees that we're notified once it exits. Also note that session-devices are *not* restored. We have no way to know which devices where used before the crash. We could store all these on disk, too, or mark them via udev. However, this seems to be rather cumbersome. Instead, we expect controllers to listen for NewSession signals for their own session. This is sent on session_load() and they can then re-request all devices. The only race I could find is if logind crashes, then the session controller tries calling ReleaseControl() (which will fail as logind is down) but keeps the bus-connection valid for other independent requests. If logind is restarted, it will restore the old controller and thus block the session. However, this seems unlikely for several reasons: - The ReleaseControl() call must occur exactly in the timespan where logind is dead. - A process which calls ReleaseControl() usually closes the bus-connection afterwards. Especially if ReleaseControl() fails, the process should notice that something is wrong and close the bus. - A process calling ReleaseControl() usually exits afterwards. There may be any cleanup pending, but other than that, usual compositors exit. - If a session-controller calls ReleaseControl(), a session is usually considered closing. There is no known use-case where we hand-over session-control in a single session. So we don't care whether the controller is locked afterwards. So this seems negligible.
2013-11-28logind: ignore failing close() on session-devicesDavid Herrmann
Unfortunately, close() on a revoked/removed character-device fails with ENODEV. I tried tracking this down in the kernel, but couldn't figure out were exactly it comes from. However, can be easily reproduced with: fd = open("/dev/input/event0", O_RDWR); ioctl(fd, EVIOCREVOKE, 0); r = close(fd); A second close on @fd would return EBADF so the close is actually valid. We simply ignore close() errors for all session-devices as their access may be revoked asynchronously, or the device might get unplugged. We use close_nointr() in case anyone ever looks at the return value (or anyone runs "grep 'close(' -r src/" to find broken close() calls). Fixes: systemd-logind[31992]: Assertion 'close_nointr(fd) == 0' failed at src/shared/util.c:185, function close_nointr_nofail(). Aborting.
2013-11-28login: revert lazy session-activation on non-VT seatsDavid Herrmann
Existing applications like gdm already depend on new sessions to get immediately activated on seats without VTs. Fixes a bug reported as: [systemd-devel] systemd 208:trouble with inactive user sessions at non-seat0 seats This patch restores the original behavior. We either need to add a new flag for session-creation or some other heuristic to avoid activating new sessions in the future.
2013-11-27logind: log which process is delaying suspend and not closing locksLennart Poettering
2013-11-26pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is ↵Lennart Poettering
not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-25conf-parser: distinguish between multiple sections with the same nameTom Gundersen
Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two
2013-11-22bus: also add error parameter to object find and enumerator callbacksLennart Poettering
Just in order to bring things inline with the method and property callbacks.
2013-11-21logind,machined,run: properly invoke StartTransientUnit() bus callLennart Poettering
2013-11-21bus: rework message handlers to always take an error argumentLennart Poettering
Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.
2013-11-21bus: let's simplify things by getting rid of unnecessary bus parametersLennart Poettering
2013-11-21bus: add API calls to escape string components of objects pathsLennart Poettering
2013-11-20core: convert PID 1 to libsystemd-busLennart Poettering
This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-18Remove duplicate includesKarel Zak
2013-11-18use #pragma once instead of foo*foo define guardsShawn Landden
2013-11-18remove unused variablesThomas Hindoe Paaboel Andersen
2013-11-13logind: create the session fifo before saving the session fileThomas Hindoe Paaboel Andersen
If the session fifo is not created the session state written to the session file is "closing". This caused the lock screen in gnome-shell to go into a loop trying to find the active session. The problem was introduced in the sd-bus port in cc3773810855956bad92337cee8fa193584ab62e Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=71525
2013-11-12uaccess: Add new DRM render nodesKristian Høgsberg
2013-11-12bus: introduce concept of a default bus for each thread and make use of it ↵Lennart Poettering
everywhere We want to emphasize bus connections as per-thread communication primitives, hence introduce a concept of a per-thread default bus, and make use of it everywhere.
2013-11-12bus: introduce concept of a "default" event loop per-thread and make use of ↵Lennart Poettering
it everywhere Try to emphasize a bit that there should be a mapping between event loops and threads, hence introduce a logic that there's one "default" event loop for each thread, that can be queried via "sd_event_default()".
2013-11-12bus: rename sd_bus_send_with_reply_and_block() to sd_bus_call()Lennart Poettering
The call is one of the most important ones we expose, where we place major emphasis on. We should make sure to give it a short, memorable name.
2013-11-10button: don't exit if we cannot handle a button pressLennart Poettering
2013-11-08bus: port remaining code over to use bus_error_message()Lennart Poettering
2013-11-08Remove dead code and unexport some callsLennart Poettering
"make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.
2013-11-07inhibit: more conversions to use bus_log_parse_error()Lennart Poettering
2013-11-07bus: log message parsing errors everywhere with a generalized ↵Lennart Poettering
bus_log_parse_error()
2013-11-07polkit: don't spawn local client if we access a remote systemLennart Poettering
2013-11-07loginctl: convert to sd-busSimon Peeters
NOTE: the show-* subcommands do not print some properties: this are those with types like (so), a(so), (uo),... we need to fix this, but I'm not sure how
2013-11-07pam: the DECIMAL_STR_MAX macro is awesome, let's use itLennart Poettering
2013-11-06pam_systemd: dup the fd received from logindZbigniew Jędrzejewski-Szmek
Otherwise sd_bus_message cleanup would close it.
2013-11-07pam: externally our booleans are ints, not unsignedsLennart Poettering
2013-11-07socket: rework things to have only one sockaddr formatterLennart Poettering
2013-11-07pam_systemd: pass 'unsigned' instead of 'bool' to sd_bus_message_read()Kay Sievers
2013-11-06pam_systemd: port to libsystemd-busZbigniew Jędrzejewski-Szmek
2013-11-06systemd_pam: treat debug as debug=1 and parse all paramsZbigniew Jędrzejewski-Szmek
systemd_pam would ignore all params after the first invalid one. Instead ignore just this one, and parse the rest. There's just one now, but as a matter of principle ;) Also, allow debug as an alias for debug=1, and don't treat invalid debug= options as fatal.
2013-11-06clients: unify how we invoke getopt_long()Lennart Poettering
Among other things this makes sure we always expose a --version command and show it in the help texts.
2013-11-06inhibit: don't return error code on --helpLennart Poettering
2013-11-06machined: keep track of the initial leader PID of a machineLennart Poettering
This way we can without races always determine the machine for a leader PID. This allows machine managers to query the machine for a forked off container/VM without a race where the child might already have died before we could read the cgroup information from /proc/$PID/cgroup.
2013-11-05login: port test-inhibit to libsystemd-busKay Sievers