[thirdparty/systemd.git] / src / pam-module.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <fcntl.h>
#include <sys/file.h>
#include <pwd.h>
#include <endian.h>

#include <security/pam_modules.h>
#include <security/_pam_macros.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
#include <security/pam_misc.h>

#include "util.h"
#include "cgroup-util.h"
#include "macro.h"
#include "sd-daemon.h"

static int parse_argv(pam_handle_t *handle,
                      int argc, const char **argv,
                      bool *create_session,
                      bool *kill_session,
                      bool *kill_user) {

        unsigned i;

        assert(argc >= 0);
        assert(argc == 0 || argv);

        for (i = 0; i < (unsigned) argc; i++) {
                int k;

                if (startswith(argv[i], "create-session=")) {
                        if ((k = parse_boolean(argv[i] + 15)) < 0) {
                                pam_syslog(handle, LOG_ERR, "Failed to parse create-session= argument.");
                                return k;
                        }

                        if (create_session)
                                *create_session = k;
                } else if (startswith(argv[i], "kill-session=")) {
                        if ((k = parse_boolean(argv[i] + 13)) < 0) {
                                pam_syslog(handle, LOG_ERR, "Failed to parse kill-session= argument.");
                                return k;
                        }

                        if (kill_session)
                                *kill_session = k;

                } else if (startswith(argv[i], "kill-user=")) {
                        if ((k = parse_boolean(argv[i] + 10)) < 0) {
                                pam_syslog(handle, LOG_ERR, "Failed to parse kill-user= argument.");
                                return k;
                        }

                        if (kill_user)
                                *kill_user = k;
                } else {
                        pam_syslog(handle, LOG_ERR, "Unknown parameter '%s'.", argv[i]);
                        return -EINVAL;
                }
        }

        if (kill_session && *kill_session && kill_user)
                *kill_user = true;

        return 0;
}

static int open_file_and_lock(const char *fn) {
        int fd;

        assert(fn);

        if ((fd = open(fn, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_CREAT, 0600)) < 0)
                return -errno;

        /* The BSD socket semantics are a lot nicer than those of
         * POSIX locks. Which is why we use flock() here. BSD locking
         * does not work across NFS which however is not needed here
         * as the filesystems in question should be local, and only
         * locally accessible, and most likely even tmpfs. */

        if (flock(fd, LOCK_EX) < 0)
                return -errno;

        return fd;
}

enum {
        SESSION_ID_AUDIT = 'a',
        SESSION_ID_COUNTER = 'c',
        SESSION_ID_RANDOM = 'r'
};

static uint64_t get_session_id(int *mode) {
        char *s;
        int fd;

        assert(mode);

        /* First attempt: let's use the session ID of the audit
         * system, if it is available. */
        if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
                uint32_t u;
                int r;

                r = safe_atou32(s, &u);
                free(s);

                if (r >= 0 && u != (uint32_t) -1 && u > 0) {
                        *mode = SESSION_ID_AUDIT;
                        return (uint64_t) u;
                }
        }

        /* Second attempt, use our own counter. */
        if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) {
                uint64_t counter;
                ssize_t r;

                /* We do a bit of endianess swapping here, just to be
                 * sure. /var should be machine specific anyway, and
                 * /var/run even mounted from tmpfs, so this
                 * byteswapping should really not be necessary. But
                 * then again, you never know, so let's avoid any
                 * risk. */

                if (loop_read(fd, &counter, sizeof(counter), false) != sizeof(counter))
                        counter = 1;
                else
                        counter = le64toh(counter) + 1;

                if (lseek(fd, 0, SEEK_SET) == 0) {
                        uint64_t swapped = htole64(counter);

                        r = loop_write(fd, &swapped, sizeof(swapped), false);

                        if (r != sizeof(swapped))
                                r = -EIO;
                } else
                        r = -errno;

                close_nointr_nofail(fd);

                if (r >= 0) {
                        *mode = SESSION_ID_COUNTER;
                        return counter;
                }
        }

        *mode = SESSION_ID_RANDOM;

        /* Last attempt, pick a random value */
        return (uint64_t) random_ull();
}
static int get_user_data(
                pam_handle_t *handle,
                const char **ret_username,
                struct passwd **ret_pw) {

        const char *username = NULL;
        struct passwd *pw = NULL;
        int r;
        bool have_loginuid = false;
        char *s;

        assert(handle);
        assert(ret_username);
        assert(ret_pw);

        if (read_one_line_file("/proc/self/loginuid", &s) >= 0) {
                uint32_t u;

                r = safe_atou32(s, &u);
                free(s);

                if (r >= 0 && u != (uint32_t) -1 && u > 0) {
                        have_loginuid = true;
                        pw = pam_modutil_getpwuid(handle, u);
                }
        }

        if (!have_loginuid) {
                if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) {
                        pam_syslog(handle, LOG_ERR, "Failed to get user name.");
                        return r;
                }

                if (!username || !*username) {
                        pam_syslog(handle, LOG_ERR, "User name not valid.");
                        return PAM_AUTH_ERR;
                }

                pw = pam_modutil_getpwnam(handle, username);
        }

        if (!pw) {
                pam_syslog(handle, LOG_ERR, "Failed to get user data.");
                return PAM_USER_UNKNOWN;
        }

        *ret_pw = pw;
        *ret_username = username ? username : pw->pw_name;

        return PAM_SUCCESS;
}

static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach, bool remember) {
        int r;

        assert(handle);
        assert(group);

        if (attach)
                r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, group, 0);
        else
                r = cg_create(SYSTEMD_CGROUP_CONTROLLER, group);

        if (r < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to create cgroup: %s", strerror(-r));
                return PAM_SESSION_ERR;
        }

        if (r > 0 && remember) {
                /* Remember that it was us who created this group, and
                 * that hence we need to remove it too. This is a
                 * protection against removing the cgroup when run
                 * recursively. */
                if ((r = pam_set_data(handle, "systemd.created", INT_TO_PTR(1), NULL)) != PAM_SUCCESS) {
                        pam_syslog(handle, LOG_ERR, "Failed to install created variable.");
                        return r;
                }
        }

        if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 ||
            (r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r));
                return PAM_SESSION_ERR;
        }

        return PAM_SUCCESS;
}

_public_ PAM_EXTERN int pam_sm_open_session(
                pam_handle_t *handle,
                int flags,
                int argc, const char **argv) {

        const char *username = NULL;
        struct passwd *pw;
        int r;
        char *buf = NULL;
        int lock_fd = -1;
        bool create_session = true;

        assert(handle);

        /* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */

        if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0)
                return PAM_SESSION_ERR;

        /* Make this a NOP on non-systemd systems */
        if (sd_booted() <= 0)
                return PAM_SUCCESS;

        if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
                goto finish;

        if (safe_mkdir(RUNTIME_DIR "/user", 0755, 0, 0) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to create runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        }

        if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        }

        /* Create /var/run/$USER */
        free(buf);
        if (asprintf(&buf, RUNTIME_DIR "/user/%s", username) < 0) {
                r = PAM_BUF_ERR;
                goto finish;
        }

        if (safe_mkdir(buf, 0700, pw->pw_uid, pw->pw_gid) < 0) {
                pam_syslog(handle, LOG_WARNING, "Failed to create runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        } else if ((r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", buf, 0)) != PAM_SUCCESS) {
                pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
                goto finish;
        }

        free(buf);
        buf = NULL;

        if (create_session) {
                const char *id;

                /* Reuse or create XDG session ID */
                if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
                        int mode;

                        if (asprintf(&buf, "%llux", (unsigned long long) get_session_id(&mode)) < 0) {
                                r = PAM_BUF_ERR;
                                goto finish;
                        }

                        /* To avoid id clashes we add the session id
                         * source to our session ids. Note that the
                         * session id source might change during
                         * runtime, because a filesystem became
                         * writable or the system reconfigured. */
                        buf[strlen(buf)-1] =
                                mode != SESSION_ID_AUDIT ? (char) mode : 0;

                        if ((r = pam_misc_setenv(handle, "XDG_SESSION_ID", buf, 0)) != PAM_SUCCESS) {
                                pam_syslog(handle, LOG_ERR, "Failed to set session id.");
                                goto finish;
                        }

                        if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
                                pam_syslog(handle, LOG_ERR, "Failed to get session id.");
                                r = PAM_SESSION_ERR;
                                goto finish;
                        }
                }

                r = asprintf(&buf, "/user/%s/%s", username, id);
        } else
                r = asprintf(&buf, "/user/%s/master", username);

        if (r < 0) {
                r = PAM_BUF_ERR;
                goto finish;
        }

        pam_syslog(handle, LOG_INFO, "Moving new user session for %s into control group %s.", username, buf);

        if ((r = create_user_group(handle, buf, pw, true, true)) != PAM_SUCCESS)
                goto finish;

        r = PAM_SUCCESS;

finish:
        free(buf);

        if (lock_fd >= 0)
                close_nointr_nofail(lock_fd);

        return r;
}

static int session_remains(pam_handle_t *handle, const char *user_path) {
        int r;
        bool remains = false;
        DIR *d;
        char *subgroup;

        if ((r = cg_enumerate_subgroups(SYSTEMD_CGROUP_CONTROLLER, user_path, &d)) < 0)
                return r;

        while ((r = cg_read_subgroup(d, &subgroup)) > 0) {

                remains = !streq(subgroup, "master");
                free(subgroup);

                if (remains)
                        break;
        }

        closedir(d);

        if (r < 0)
                return r;

        return !!remains;
}

_public_ PAM_EXTERN int pam_sm_close_session(
                pam_handle_t *handle,
                int flags,
                int argc, const char **argv) {

        const char *username = NULL;
        bool kill_session = false;
        bool kill_user = false;
        int lock_fd = -1, r;
        char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
        const char *id;
        struct passwd *pw;
        const void *created = NULL;

        assert(handle);

        if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user) < 0)
                return PAM_SESSION_ERR;

        /* Make this a NOP on non-systemd systems */
        if (sd_booted() <= 0)
                return PAM_SUCCESS;

        if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
                goto finish;

        if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        }

        /* We are probably still in some session/user dir. Move ourselves out of the way as first step */
        if ((r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, "/user", 0)) < 0)
                pam_syslog(handle, LOG_ERR, "Failed to move us away: %s", strerror(-r));

        if (asprintf(&user_path, "/user/%s", username) < 0) {
                r = PAM_BUF_ERR;
                goto finish;
        }

        pam_get_data(handle, "systemd.created", &created);

        if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) {

                if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 ||
                    asprintf(&nosession_path, "/user/%s/master", username) < 0) {
                        r = PAM_BUF_ERR;
                        goto finish;
                }

                if (kill_session)  {
                        pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);

                        /* Kill processes in session cgroup, and delete it */
                        if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r));
                } else {
                        pam_syslog(handle, LOG_INFO, "Moving remaining processes of user session %s of %s into control group %s.", id, username, nosession_path);

                        /* Migrate processes from session to user
                         * cgroup. First, try to create the user group
                         * in case it doesn't exist yet. Also, delete
                         * the session group. */
                        create_user_group(handle, nosession_path, pw, false, false);

                        if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r));
                }
        }

        /* GC user tree */
        cg_trim(SYSTEMD_CGROUP_CONTROLLER, user_path, false);

        if ((r = session_remains(handle, user_path)) < 0)
                pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));

        /* Kill user processes not attached to any session */
        if (kill_user && r == 0) {

                /* Kill user cgroup */
                if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
                        pam_syslog(handle, LOG_ERR, "Failed to kill user cgroup: %s", strerror(-r));
        } else {

                if ((r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
                        pam_syslog(handle, LOG_ERR, "Failed to check user cgroup: %s", strerror(-r));

                /* Remove user cgroup */
                if (r > 0) {
                        if ((r = cg_delete(SYSTEMD_CGROUP_CONTROLLER, user_path)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r));

                /* If we managed to find somebody, don't cleanup the cgroup. */
                } else if (r == 0)
                        r = -EBUSY;
        }

        if (r >= 0) {
                const char *runtime_dir;

                if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR")))
                        if ((r = rm_rf(runtime_dir, false, true)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r));
        }

        /* pam_syslog(handle, LOG_DEBUG, "pam-systemd done"); */

        r = PAM_SUCCESS;

finish:
        if (lock_fd >= 0)
                close_nointr_nofail(lock_fd);

        free(session_path);
        free(nosession_path);
        free(user_path);

        return r;
}
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
8c6db833 LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU General Public License as published by
	10	the Free Software Foundation; either version 2 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	General Public License for more details.
	17
	18	You should have received a copy of the GNU General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <fcntl.h>
	24	#include <sys/file.h>
	25	#include <pwd.h>
a838e6a1	26	#include <endian.h>
8c6db833 LP	27
	28	#include <security/pam_modules.h>
	29	#include <security/_pam_macros.h>
	30	#include <security/pam_modutil.h>
	31	#include <security/pam_ext.h>
	32	#include <security/pam_misc.h>
	33
8c6db833 LP	34	#include "util.h"
	35	#include "cgroup-util.h"
	36	#include "macro.h"
	37	#include "sd-daemon.h"
	38
	39	static int parse_argv(pam_handle_t *handle,
	40	int argc, const char **argv,
	41	bool *create_session,
	42	bool *kill_session,
	43	bool *kill_user) {
	44
	45	unsigned i;
	46
	47	assert(argc >= 0);
	48	assert(argc == 0 \|\| argv);
	49
	50	for (i = 0; i < (unsigned) argc; i++) {
	51	int k;
	52
	53	if (startswith(argv[i], "create-session=")) {
	54	if ((k = parse_boolean(argv[i] + 15)) < 0) {
	55	pam_syslog(handle, LOG_ERR, "Failed to parse create-session= argument.");
	56	return k;
	57	}
	58
	59	if (create_session)
	60	*create_session = k;
	61	} else if (startswith(argv[i], "kill-session=")) {
	62	if ((k = parse_boolean(argv[i] + 13)) < 0) {
	63	pam_syslog(handle, LOG_ERR, "Failed to parse kill-session= argument.");
	64	return k;
	65	}
	66
	67	if (kill_session)
	68	*kill_session = k;
	69
	70	} else if (startswith(argv[i], "kill-user=")) {
	71	if ((k = parse_boolean(argv[i] + 10)) < 0) {
	72	pam_syslog(handle, LOG_ERR, "Failed to parse kill-user= argument.");
	73	return k;
	74	}
	75
	76	if (kill_user)
	77	*kill_user = k;
	78	} else {
	79	pam_syslog(handle, LOG_ERR, "Unknown parameter '%s'.", argv[i]);
	80	return -EINVAL;
	81	}
	82	}
	83
	84	if (kill_session && *kill_session && kill_user)
	85	*kill_user = true;
	86
	87	return 0;
	88	}
	89
	90	static int open_file_and_lock(const char *fn) {
	91	int fd;
	92
	93	assert(fn);
	94
	95	if ((fd = open(fn, O_RDWR\|O_CLOEXEC\|O_NOCTTY\|O_NOFOLLOW\|O_CREAT, 0600)) < 0)
	96	return -errno;
	97
2e225d65 LP	98	/* The BSD socket semantics are a lot nicer than those of
	99	* POSIX locks. Which is why we use flock() here. BSD locking
	100	* does not work across NFS which however is not needed here
	101	* as the filesystems in question should be local, and only
	102	* locally accessible, and most likely even tmpfs. */
	103
8c6db833 LP	104	if (flock(fd, LOCK_EX) < 0)
	105	return -errno;
	106
	107	return fd;
	108	}
	109
2e225d65 LP	110	enum {
	111	SESSION_ID_AUDIT = 'a',
	112	SESSION_ID_COUNTER = 'c',
	113	SESSION_ID_RANDOM = 'r'
	114	};
	115
	116	static uint64_t get_session_id(int *mode) {
a838e6a1 LP	117	char *s;
a838e6a1 LP	118	int fd;
8c6db833	119
2e225d65 LP	120	assert(mode);
2e225d65 LP	121
a838e6a1 LP	122	/* First attempt: let's use the session ID of the audit
	123	* system, if it is available. */
	124	if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
	125	uint32_t u;
	126	int r;
8c6db833	127
a838e6a1 LP	128	r = safe_atou32(s, &u);
a838e6a1 LP	129	free(s);
8c6db833	130
d90b9d27	131	if (r >= 0 && u != (uint32_t) -1 && u > 0) {
2e225d65	132	*mode = SESSION_ID_AUDIT;
a838e6a1	133	return (uint64_t) u;
2e225d65	134	}
a838e6a1	135	}
8c6db833	136
a838e6a1 LP	137	/* Second attempt, use our own counter. */
	138	if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) {
	139	uint64_t counter;
	140	ssize_t r;
8c6db833	141
a838e6a1 LP	142	/* We do a bit of endianess swapping here, just to be
	143	* sure. /var should be machine specific anyway, and
	144	* /var/run even mounted from tmpfs, so this
	145	* byteswapping should really not be necessary. But
	146	* then again, you never know, so let's avoid any
	147	* risk. */
8c6db833	148
a838e6a1 LP	149	if (loop_read(fd, &counter, sizeof(counter), false) != sizeof(counter))
	150	counter = 1;
	151	else
	152	counter = le64toh(counter) + 1;
8c6db833	153
a838e6a1 LP	154	if (lseek(fd, 0, SEEK_SET) == 0) {
	155	uint64_t swapped = htole64(counter);
	156
	157	r = loop_write(fd, &swapped, sizeof(swapped), false);
	158
	159	if (r != sizeof(swapped))
	160	r = -EIO;
	161	} else
	162	r = -errno;
8c6db833	163
a838e6a1 LP	164	close_nointr_nofail(fd);
a838e6a1 LP	165
2e225d65 LP	166	if (r >= 0) {
2e225d65 LP	167	*mode = SESSION_ID_COUNTER;
a838e6a1	168	return counter;
2e225d65	169	}
a838e6a1 LP	170	}
a838e6a1 LP	171
2e225d65 LP	172	*mode = SESSION_ID_RANDOM;
2e225d65 LP	173
a838e6a1 LP	174	/* Last attempt, pick a random value */
	175	return (uint64_t) random_ull();
	176	}
8c6db833 LP	177	static int get_user_data(
	178	pam_handle_t *handle,
	179	const char **ret_username,
	180	struct passwd **ret_pw) {
	181
d90b9d27 LP	182	const char *username = NULL;
d90b9d27 LP	183	struct passwd *pw = NULL;
8c6db833	184	int r;
d90b9d27 LP	185	bool have_loginuid = false;
d90b9d27 LP	186	char *s;
8c6db833 LP	187
	188	assert(handle);
	189	assert(ret_username);
	190	assert(ret_pw);
	191
d90b9d27 LP	192	if (read_one_line_file("/proc/self/loginuid", &s) >= 0) {
	193	uint32_t u;
	194
	195	r = safe_atou32(s, &u);
	196	free(s);
	197
	198	if (r >= 0 && u != (uint32_t) -1 && u > 0) {
	199	have_loginuid = true;
	200	pw = pam_modutil_getpwuid(handle, u);
	201	}
8c6db833 LP	202	}
8c6db833 LP	203
d90b9d27 LP	204	if (!have_loginuid) {
	205	if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) {
	206	pam_syslog(handle, LOG_ERR, "Failed to get user name.");
	207	return r;
	208	}
	209
	210	if (!username \|\| !*username) {
	211	pam_syslog(handle, LOG_ERR, "User name not valid.");
	212	return PAM_AUTH_ERR;
	213	}
	214
	215	pw = pam_modutil_getpwnam(handle, username);
8c6db833 LP	216	}
8c6db833 LP	217
d90b9d27	218	if (!pw) {
8c6db833 LP	219	pam_syslog(handle, LOG_ERR, "Failed to get user data.");
	220	return PAM_USER_UNKNOWN;
	221	}
	222
	223	*ret_pw = pw;
d90b9d27	224	*ret_username = username ? username : pw->pw_name;
8c6db833 LP	225
	226	return PAM_SUCCESS;
	227	}
	228
672c48cc	229	static int create_user_group(pam_handle_t handle, const char group, struct passwd *pw, bool attach, bool remember) {
8c6db833 LP	230	int r;
	231
	232	assert(handle);
	233	assert(group);
	234
	235	if (attach)
c6c18be3	236	r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, group, 0);
8c6db833	237	else
c6c18be3	238	r = cg_create(SYSTEMD_CGROUP_CONTROLLER, group);
8c6db833 LP	239
	240	if (r < 0) {
	241	pam_syslog(handle, LOG_ERR, "Failed to create cgroup: %s", strerror(-r));
	242	return PAM_SESSION_ERR;
	243	}
	244
672c48cc LP	245	if (r > 0 && remember) {
	246	/* Remember that it was us who created this group, and
	247	* that hence we need to remove it too. This is a
	248	* protection against removing the cgroup when run
	249	* recursively. */
	250	if ((r = pam_set_data(handle, "systemd.created", INT_TO_PTR(1), NULL)) != PAM_SUCCESS) {
	251	pam_syslog(handle, LOG_ERR, "Failed to install created variable.");
	252	return r;
	253	}
	254	}
	255
c6c18be3 LP	256	if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 \|\|
c6c18be3 LP	257	(r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) {
8c6db833 LP	258	pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r));
	259	return PAM_SESSION_ERR;
	260	}
	261
	262	return PAM_SUCCESS;
	263	}
	264
	265	_public_ PAM_EXTERN int pam_sm_open_session(
	266	pam_handle_t *handle,
	267	int flags,
	268	int argc, const char **argv) {
	269
	270	const char *username = NULL;
	271	struct passwd *pw;
	272	int r;
	273	char *buf = NULL;
	274	int lock_fd = -1;
	275	bool create_session = true;
	276
	277	assert(handle);
	278
672c48cc	279	/* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */
8c6db833 LP	280
	281	if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0)
	282	return PAM_SESSION_ERR;
	283
	284	/* Make this a NOP on non-systemd systems */
	285	if (sd_booted() <= 0)
	286	return PAM_SUCCESS;
	287
8c6db833 LP	288	if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
	289	goto finish;
	290
	291	if (safe_mkdir(RUNTIME_DIR "/user", 0755, 0, 0) < 0) {
	292	pam_syslog(handle, LOG_ERR, "Failed to create runtime directory: %m");
	293	r = PAM_SYSTEM_ERR;
	294	goto finish;
	295	}
	296
	297	if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
	298	pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
	299	r = PAM_SYSTEM_ERR;
	300	goto finish;
	301	}
	302
	303	/* Create /var/run/$USER */
	304	free(buf);
	305	if (asprintf(&buf, RUNTIME_DIR "/user/%s", username) < 0) {
	306	r = PAM_BUF_ERR;
	307	goto finish;
	308	}
	309
	310	if (safe_mkdir(buf, 0700, pw->pw_uid, pw->pw_gid) < 0) {
	311	pam_syslog(handle, LOG_WARNING, "Failed to create runtime directory: %m");
	312	r = PAM_SYSTEM_ERR;
	313	goto finish;
	314	} else if ((r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", buf, 0)) != PAM_SUCCESS) {
	315	pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
	316	goto finish;
	317	}
	318
	319	free(buf);
	320	buf = NULL;
	321
	322	if (create_session) {
a838e6a1	323	const char *id;
8c6db833 LP	324
8c6db833 LP	325	/* Reuse or create XDG session ID */
a838e6a1	326	if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
2e225d65	327	int mode;
a838e6a1	328
2e225d65	329	if (asprintf(&buf, "%llux", (unsigned long long) get_session_id(&mode)) < 0) {
8c6db833 LP	330	r = PAM_BUF_ERR;
	331	goto finish;
	332	}
	333
2e225d65 LP	334	/* To avoid id clashes we add the session id
	335	* source to our session ids. Note that the
	336	* session id source might change during
	337	* runtime, because a filesystem became
	338	* writable or the system reconfigured. */
	339	buf[strlen(buf)-1] =
	340	mode != SESSION_ID_AUDIT ? (char) mode : 0;
	341
a838e6a1 LP	342	if ((r = pam_misc_setenv(handle, "XDG_SESSION_ID", buf, 0)) != PAM_SUCCESS) {
a838e6a1 LP	343	pam_syslog(handle, LOG_ERR, "Failed to set session id.");
8c6db833 LP	344	goto finish;
	345	}
	346
a838e6a1 LP	347	if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
a838e6a1 LP	348	pam_syslog(handle, LOG_ERR, "Failed to get session id.");
8c6db833 LP	349	r = PAM_SESSION_ERR;
	350	goto finish;
	351	}
	352	}
	353
a838e6a1	354	r = asprintf(&buf, "/user/%s/%s", username, id);
8c6db833	355	} else
96a8cbfa	356	r = asprintf(&buf, "/user/%s/master", username);
8c6db833 LP	357
	358	if (r < 0) {
	359	r = PAM_BUF_ERR;
	360	goto finish;
	361	}
	362
672c48cc LP	363	pam_syslog(handle, LOG_INFO, "Moving new user session for %s into control group %s.", username, buf);
	364
	365	if ((r = create_user_group(handle, buf, pw, true, true)) != PAM_SUCCESS)
8c6db833 LP	366	goto finish;
	367
	368	r = PAM_SUCCESS;
	369
	370	finish:
	371	free(buf);
	372
	373	if (lock_fd >= 0)
	374	close_nointr_nofail(lock_fd);
	375
	376	return r;
	377	}
	378
	379	static int session_remains(pam_handle_t handle, const char user_path) {
35d2e7ec	380	int r;
8c6db833	381	bool remains = false;
35d2e7ec LP	382	DIR *d;
35d2e7ec LP	383	char *subgroup;
8c6db833	384
35d2e7ec LP	385	if ((r = cg_enumerate_subgroups(SYSTEMD_CGROUP_CONTROLLER, user_path, &d)) < 0)
35d2e7ec LP	386	return r;
8c6db833	387
35d2e7ec	388	while ((r = cg_read_subgroup(d, &subgroup)) > 0) {
8c6db833	389
96a8cbfa	390	remains = !streq(subgroup, "master");
35d2e7ec	391	free(subgroup);
8c6db833	392
35d2e7ec LP	393	if (remains)
35d2e7ec LP	394	break;
8c6db833 LP	395	}
8c6db833 LP	396
35d2e7ec	397	closedir(d);
8c6db833	398
35d2e7ec LP	399	if (r < 0)
35d2e7ec LP	400	return r;
8c6db833	401
35d2e7ec	402	return !!remains;
8c6db833 LP	403	}
	404
	405	_public_ PAM_EXTERN int pam_sm_close_session(
	406	pam_handle_t *handle,
	407	int flags,
	408	int argc, const char **argv) {
	409
	410	const char *username = NULL;
	411	bool kill_session = false;
	412	bool kill_user = false;
	413	int lock_fd = -1, r;
	414	char session_path = NULL, nosession_path = NULL, *user_path = NULL;
a838e6a1	415	const char *id;
8c6db833	416	struct passwd *pw;
672c48cc	417	const void *created = NULL;
8c6db833 LP	418
	419	assert(handle);
	420
	421	if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user) < 0)
	422	return PAM_SESSION_ERR;
	423
	424	/* Make this a NOP on non-systemd systems */
	425	if (sd_booted() <= 0)
	426	return PAM_SUCCESS;
	427
	428	if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
	429	goto finish;
	430
	431	if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
	432	pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
	433	r = PAM_SYSTEM_ERR;
	434	goto finish;
	435	}
	436
824a1d59	437	/* We are probably still in some session/user dir. Move ourselves out of the way as first step */
35d2e7ec LP	438	if ((r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, "/user", 0)) < 0)
	439	pam_syslog(handle, LOG_ERR, "Failed to move us away: %s", strerror(-r));
	440
8c6db833 LP	441	if (asprintf(&user_path, "/user/%s", username) < 0) {
	442	r = PAM_BUF_ERR;
	443	goto finish;
	444	}
	445
672c48cc LP	446	pam_get_data(handle, "systemd.created", &created);
	447
	448	if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) {
8c6db833	449
a838e6a1	450	if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 \|\|
96a8cbfa	451	asprintf(&nosession_path, "/user/%s/master", username) < 0) {
8c6db833 LP	452	r = PAM_BUF_ERR;
	453	goto finish;
	454	}
	455
	456	if (kill_session) {
672c48cc LP	457	pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
672c48cc LP	458
35d2e7ec LP	459	/* Kill processes in session cgroup, and delete it */
35d2e7ec LP	460	if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0)
8c6db833	461	pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r));
35d2e7ec	462	} else {
672c48cc LP	463	pam_syslog(handle, LOG_INFO, "Moving remaining processes of user session %s of %s into control group %s.", id, username, nosession_path);
672c48cc LP	464
824a1d59 LP	465	/* Migrate processes from session to user
	466	* cgroup. First, try to create the user group
	467	* in case it doesn't exist yet. Also, delete
	468	* the session group. */
672c48cc	469	create_user_group(handle, nosession_path, pw, false, false);
8c6db833	470
35d2e7ec	471	if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0)
8c6db833 LP	472	pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r));
8c6db833 LP	473	}
8c6db833 LP	474	}
	475
	476	/* GC user tree */
c6c18be3	477	cg_trim(SYSTEMD_CGROUP_CONTROLLER, user_path, false);
8c6db833 LP	478
	479	if ((r = session_remains(handle, user_path)) < 0)
	480	pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
	481
	482	/* Kill user processes not attached to any session */
	483	if (kill_user && r == 0) {
	484
824a1d59	485	/* Kill user cgroup */
35d2e7ec	486	if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
8c6db833 LP	487	pam_syslog(handle, LOG_ERR, "Failed to kill user cgroup: %s", strerror(-r));
	488	} else {
	489
c6c18be3	490	if ((r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
8c6db833 LP	491	pam_syslog(handle, LOG_ERR, "Failed to check user cgroup: %s", strerror(-r));
8c6db833 LP	492
35d2e7ec LP	493	/* Remove user cgroup */
	494	if (r > 0) {
	495	if ((r = cg_delete(SYSTEMD_CGROUP_CONTROLLER, user_path)) < 0)
	496	pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r));
	497
	498	/* If we managed to find somebody, don't cleanup the cgroup. */
	499	} else if (r == 0)
8c6db833 LP	500	r = -EBUSY;
	501	}
	502
	503	if (r >= 0) {
	504	const char *runtime_dir;
	505
8c6db833 LP	506	if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR")))
	507	if ((r = rm_rf(runtime_dir, false, true)) < 0)
	508	pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r));
	509	}
	510
672c48cc LP	511	/* pam_syslog(handle, LOG_DEBUG, "pam-systemd done"); */
672c48cc LP	512
8c6db833 LP	513	r = PAM_SUCCESS;
	514
	515	finish:
	516	if (lock_fd >= 0)
	517	close_nointr_nofail(lock_fd);
	518
	519	free(session_path);
	520	free(nosession_path);
	521	free(user_path);
	522
	523	return r;
	524	}