]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/login/pam_systemd.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #31000 from flatcar-hub/krnowak/mutable-overlays
[thirdparty/systemd.git] / src / login / pam_systemd.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <endian.h>
4 #include <errno.h>
5 #include <fcntl.h>
6 #include <pwd.h>
7 #include <security/_pam_macros.h>
8 #include <security/pam_ext.h>
9 #include <security/pam_misc.h>
10 #include <security/pam_modules.h>
11 #include <security/pam_modutil.h>
12 #include <sys/file.h>
13 #include <sys/stat.h>
14 #include <sys/sysmacros.h>
15 #include <sys/types.h>
16 #include <unistd.h>
17
18 #include "alloc-util.h"
19 #include "audit-util.h"
20 #include "bus-common-errors.h"
21 #include "bus-error.h"
22 #include "bus-internal.h"
23 #include "bus-locator.h"
24 #include "cap-list.h"
25 #include "capability-util.h"
26 #include "cgroup-setup.h"
27 #include "devnum-util.h"
28 #include "errno-util.h"
29 #include "fd-util.h"
30 #include "fileio.h"
31 #include "format-util.h"
32 #include "fs-util.h"
33 #include "hostname-util.h"
34 #include "locale-util.h"
35 #include "login-util.h"
36 #include "macro.h"
37 #include "missing_syscall.h"
38 #include "pam-util.h"
39 #include "parse-util.h"
40 #include "path-util.h"
41 #include "percent-util.h"
42 #include "process-util.h"
43 #include "rlimit-util.h"
44 #include "socket-util.h"
45 #include "stdio-util.h"
46 #include "strv.h"
47 #include "terminal-util.h"
48 #include "user-util.h"
49 #include "userdb.h"
50
51 #define LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC (2*USEC_PER_MINUTE)
52
53 static int parse_caps(
54 pam_handle_t *handle,
55 const char *value,
56 uint64_t *caps) {
57
58 bool subtract;
59 int r;
60
61 assert(handle);
62 assert(value);
63
64 if (value[0] == '~') {
65 subtract = true;
66 value++;
67 } else
68 subtract = false;
69
70 for (;;) {
71 _cleanup_free_ char *s = NULL;
72 uint64_t b, m;
73 int c;
74
75 /* We can't use spaces as separators here, as PAM's simplistic argument parser doesn't allow
76 * spaces inside of arguments. We use commas instead (which is similar to cap_from_text(),
77 * which also uses commas). */
78 r = extract_first_word(&value, &s, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
79 if (r < 0)
80 return r;
81 if (r == 0)
82 break;
83
84 c = capability_from_name(s);
85 if (c < 0) {
86 pam_syslog(handle, LOG_WARNING, "Unknown capability, ignoring: %s", s);
87 continue;
88 }
89
90 m = UINT64_C(1) << c;
91
92 if (!caps)
93 continue;
94
95 if (*caps == UINT64_MAX)
96 b = subtract ? all_capabilities() : 0;
97 else
98 b = *caps;
99
100 if (subtract)
101 *caps = b & ~m;
102 else
103 *caps = b | m;
104 }
105
106 return 0;
107 }
108
109 static int parse_argv(
110 pam_handle_t *handle,
111 int argc, const char **argv,
112 const char **class,
113 const char **type,
114 const char **desktop,
115 bool *debug,
116 uint64_t *default_capability_bounding_set,
117 uint64_t *default_capability_ambient_set) {
118
119 int r;
120
121 assert(handle);
122 assert(argc >= 0);
123 assert(argc == 0 || argv);
124
125 for (int i = 0; i < argc; i++) {
126 const char *p;
127
128 if ((p = startswith(argv[i], "class="))) {
129 if (class)
130 *class = p;
131
132 } else if ((p = startswith(argv[i], "type="))) {
133 if (type)
134 *type = p;
135
136 } else if ((p = startswith(argv[i], "desktop="))) {
137 if (desktop)
138 *desktop = p;
139
140 } else if (streq(argv[i], "debug")) {
141 if (debug)
142 *debug = true;
143
144 } else if ((p = startswith(argv[i], "debug="))) {
145 r = parse_boolean(p);
146 if (r < 0)
147 pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring: %s", p);
148 else if (debug)
149 *debug = r;
150
151 } else if ((p = startswith(argv[i], "default-capability-bounding-set="))) {
152 r = parse_caps(handle, p, default_capability_bounding_set);
153 if (r < 0)
154 pam_syslog(handle, LOG_WARNING, "Failed to parse default-capability-bounding-set= argument, ignoring: %s", p);
155
156 } else if ((p = startswith(argv[i], "default-capability-ambient-set="))) {
157 r = parse_caps(handle, p, default_capability_ambient_set);
158 if (r < 0)
159 pam_syslog(handle, LOG_WARNING, "Failed to parse default-capability-ambient-set= argument, ignoring: %s", p);
160
161 } else
162 pam_syslog(handle, LOG_WARNING, "Unknown parameter '%s', ignoring.", argv[i]);
163 }
164
165 return 0;
166 }
167
168 static int acquire_user_record(
169 pam_handle_t *handle,
170 UserRecord **ret_record) {
171
172 _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
173 const char *username = NULL, *json = NULL;
174 _cleanup_free_ char *field = NULL;
175 int r;
176
177 assert(handle);
178
179 r = pam_get_user(handle, &username, NULL);
180 if (r != PAM_SUCCESS)
181 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get user name: @PAMERR@");
182
183 if (isempty(username))
184 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SERVICE_ERR, "User name not valid.");
185
186 /* If pam_systemd_homed (or some other module) already acquired the user record we can reuse it
187 * here. */
188 field = strjoin("systemd-user-record-", username);
189 if (!field)
190 return pam_log_oom(handle);
191
192 r = pam_get_data(handle, field, (const void**) &json);
193 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
194 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM user record data: @PAMERR@");
195 if (r == PAM_SUCCESS && json) {
196 _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
197
198 /* Parse cached record */
199 r = json_parse(json, JSON_PARSE_SENSITIVE, &v, NULL, NULL);
200 if (r < 0)
201 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to parse JSON user record: %m");
202
203 ur = user_record_new();
204 if (!ur)
205 return pam_log_oom(handle);
206
207 r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
208 if (r < 0)
209 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to load user record: %m");
210
211 /* Safety check if cached record actually matches what we are looking for */
212 if (!streq_ptr(username, ur->user_name))
213 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SERVICE_ERR,
214 "Acquired user record does not match user name.");
215 } else {
216 _cleanup_free_ char *formatted = NULL;
217
218 /* Request the record ourselves */
219 r = userdb_by_name(username, 0, &ur);
220 if (r < 0) {
221 pam_syslog_errno(handle, LOG_ERR, r, "Failed to get user record: %m");
222 return PAM_USER_UNKNOWN;
223 }
224
225 r = json_variant_format(ur->json, 0, &formatted);
226 if (r < 0)
227 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to format user JSON: %m");
228
229 /* And cache it for everyone else */
230 r = pam_set_data(handle, field, formatted, pam_cleanup_free);
231 if (r != PAM_SUCCESS)
232 return pam_syslog_pam_error(handle, LOG_ERR, r,
233 "Failed to set PAM user record data '%s': @PAMERR@", field);
234 TAKE_PTR(formatted);
235 }
236
237 if (!uid_is_valid(ur->uid))
238 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SERVICE_ERR,
239 "Acquired user record does not have a UID.");
240
241 if (ret_record)
242 *ret_record = TAKE_PTR(ur);
243
244 return PAM_SUCCESS;
245 }
246
247 static bool display_is_local(const char *display) {
248 assert(display);
249
250 return
251 display[0] == ':' &&
252 ascii_isdigit(display[1]);
253 }
254
255 static int socket_from_display(const char *display) {
256 _cleanup_free_ char *f = NULL;
257 size_t k;
258 char *c;
259 union sockaddr_union sa;
260 socklen_t sa_len;
261 _cleanup_close_ int fd = -EBADF;
262 int r;
263
264 assert(display);
265
266 if (!display_is_local(display))
267 return -EINVAL;
268
269 k = strspn(display+1, "0123456789");
270
271 /* Try abstract socket first. */
272 f = new(char, STRLEN("@/tmp/.X11-unix/X") + k + 1);
273 if (!f)
274 return -ENOMEM;
275
276 c = stpcpy(f, "@/tmp/.X11-unix/X");
277 memcpy(c, display+1, k);
278 c[k] = 0;
279
280 r = sockaddr_un_set_path(&sa.un, f);
281 if (r < 0)
282 return r;
283 sa_len = r;
284
285 fd = RET_NERRNO(socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0));
286 if (fd < 0)
287 return fd;
288
289 r = RET_NERRNO(connect(fd, &sa.sa, sa_len));
290 if (r >= 0)
291 return TAKE_FD(fd);
292 if (r != -ECONNREFUSED)
293 return r;
294
295 /* Try also non-abstract socket. */
296 r = sockaddr_un_set_path(&sa.un, f + 1);
297 if (r < 0)
298 return r;
299 sa_len = r;
300
301 r = RET_NERRNO(connect(fd, &sa.sa, sa_len));
302 if (r >= 0)
303 return TAKE_FD(fd);
304 return r;
305 }
306
307 static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
308 _cleanup_free_ char *sys_path = NULL, *tty = NULL;
309 _cleanup_close_ int fd = -EBADF;
310 struct ucred ucred;
311 int v, r;
312 dev_t display_ctty;
313
314 assert(display);
315 assert(vtnr);
316
317 /* We deduce the X11 socket from the display name, then use
318 * SO_PEERCRED to determine the X11 server process, ask for
319 * the controlling tty of that and if it's a VC then we know
320 * the seat and the virtual terminal. Sounds ugly, is only
321 * semi-ugly. */
322
323 fd = socket_from_display(display);
324 if (fd < 0)
325 return fd;
326
327 r = getpeercred(fd, &ucred);
328 if (r < 0)
329 return r;
330
331 r = get_ctty_devnr(ucred.pid, &display_ctty);
332 if (r < 0)
333 return r;
334
335 if (asprintf(&sys_path, "/sys/dev/char/" DEVNUM_FORMAT_STR, DEVNUM_FORMAT_VAL(display_ctty)) < 0)
336 return -ENOMEM;
337 r = readlink_value(sys_path, &tty);
338 if (r < 0)
339 return r;
340
341 v = vtnr_from_tty(tty);
342 if (v < 0)
343 return v;
344 else if (v == 0)
345 return -ENOENT;
346
347 if (seat)
348 *seat = "seat0";
349 *vtnr = (uint32_t) v;
350
351 return 0;
352 }
353
354 static int export_legacy_dbus_address(
355 pam_handle_t *handle,
356 const char *runtime) {
357
358 const char *s;
359 _cleanup_free_ char *t = NULL;
360 int r = PAM_BUF_ERR;
361
362 /* We need to export $DBUS_SESSION_BUS_ADDRESS because various applications will not connect
363 * correctly to the bus without it. This setting matches what dbus.socket does for the user
364 * session using 'systemctl --user set-environment'. We want to have the same configuration
365 * in processes started from the PAM session.
366 *
367 * The setting of the address is guarded by the access() check because it is also possible to compile
368 * dbus without --enable-user-session, in which case this socket is not used, and
369 * $DBUS_SESSION_BUS_ADDRESS should not be set. An alternative approach would to not do the access()
370 * check here, and let applications try on their own, by using "unix:path=%s/bus;autolaunch:". But we
371 * expect the socket to be present by the time we do this check, so we can just as well check once
372 * here. */
373
374 s = strjoina(runtime, "/bus");
375 if (access(s, F_OK) < 0)
376 return PAM_SUCCESS;
377
378 if (asprintf(&t, DEFAULT_USER_BUS_ADDRESS_FMT, runtime) < 0)
379 return pam_log_oom(handle);
380
381 r = pam_misc_setenv(handle, "DBUS_SESSION_BUS_ADDRESS", t, 0);
382 if (r != PAM_SUCCESS)
383 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to set bus variable: @PAMERR@");
384
385 return PAM_SUCCESS;
386 }
387
388 static int append_session_memory_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
389 uint64_t val;
390 int r;
391
392 if (isempty(limit))
393 return PAM_SUCCESS;
394
395 if (streq(limit, "infinity")) {
396 r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", UINT64_MAX);
397 if (r < 0)
398 return pam_bus_log_create_error(handle, r);
399
400 return PAM_SUCCESS;
401 }
402
403 r = parse_permyriad(limit);
404 if (r >= 0) {
405 r = sd_bus_message_append(m, "(sv)", "MemoryMaxScale", "u", UINT32_SCALE_FROM_PERMYRIAD(r));
406 if (r < 0)
407 return pam_bus_log_create_error(handle, r);
408
409 return PAM_SUCCESS;
410 }
411
412 r = parse_size(limit, 1024, &val);
413 if (r >= 0) {
414 r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", val);
415 if (r < 0)
416 return pam_bus_log_create_error(handle, r);
417
418 return PAM_SUCCESS;
419 }
420
421 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.memory_max, ignoring: %s", limit);
422 return PAM_SUCCESS;
423 }
424
425 static int append_session_runtime_max_sec(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
426 usec_t val;
427 int r;
428
429 /* No need to parse "infinity" here, it will be set by default later in scope_init() */
430 if (isempty(limit) || streq(limit, "infinity"))
431 return PAM_SUCCESS;
432
433 r = parse_sec(limit, &val);
434 if (r >= 0) {
435 r = sd_bus_message_append(m, "(sv)", "RuntimeMaxUSec", "t", (uint64_t) val);
436 if (r < 0)
437 return pam_bus_log_create_error(handle, r);
438 } else
439 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.runtime_max_sec: %s, ignoring.", limit);
440
441 return PAM_SUCCESS;
442 }
443
444 static int append_session_tasks_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
445 uint64_t val;
446 int r;
447
448 /* No need to parse "infinity" here, it will be set unconditionally later in manager_start_scope() */
449 if (isempty(limit) || streq(limit, "infinity"))
450 return PAM_SUCCESS;
451
452 r = safe_atou64(limit, &val);
453 if (r >= 0) {
454 r = sd_bus_message_append(m, "(sv)", "TasksMax", "t", val);
455 if (r < 0)
456 return pam_bus_log_create_error(handle, r);
457 } else
458 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.tasks_max, ignoring: %s", limit);
459
460 return PAM_SUCCESS;
461 }
462
463 static int append_session_cpu_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
464 uint64_t val;
465 int r;
466
467 if (isempty(limit))
468 return PAM_SUCCESS;
469
470 r = cg_cpu_weight_parse(limit, &val);
471 if (r < 0)
472 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.cpu_weight, ignoring: %s", limit);
473 else {
474 r = sd_bus_message_append(m, "(sv)", "CPUWeight", "t", val);
475 if (r < 0)
476 return pam_bus_log_create_error(handle, r);
477 }
478
479 return PAM_SUCCESS;
480 }
481
482 static int append_session_io_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
483 uint64_t val;
484 int r;
485
486 if (isempty(limit))
487 return PAM_SUCCESS;
488
489 r = cg_weight_parse(limit, &val);
490 if (r < 0)
491 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.io_weight, ignoring: %s", limit);
492 else {
493 r = sd_bus_message_append(m, "(sv)", "IOWeight", "t", val);
494 if (r < 0)
495 return pam_bus_log_create_error(handle, r);
496 }
497
498 return PAM_SUCCESS;
499 }
500
501 static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
502 const char *v;
503
504 assert(handle);
505 assert(key);
506
507 /* Looks for an environment variable, preferably in the environment block associated with the
508 * specified PAM handle, falling back to the process' block instead. Why check both? Because we want
509 * to permit configuration of session properties from unit files that invoke PAM services, so that
510 * PAM services don't have to be reworked to set systemd-specific properties, but these properties
511 * can still be set from the unit file Environment= block. */
512
513 v = pam_getenv(handle, key);
514 if (!isempty(v))
515 return v;
516
517 /* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
518 * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
519 * currently don't (to be precise, they clean up the environment they pass to their children, but
520 * not their own environ[]). */
521 v = secure_getenv(key);
522 if (!isempty(v))
523 return v;
524
525 return fallback;
526 }
527
528 static bool getenv_harder_bool(pam_handle_t *handle, const char *key, bool fallback) {
529 const char *v;
530 int r;
531
532 assert(handle);
533 assert(key);
534
535 v = getenv_harder(handle, key, NULL);
536 if (isempty(v))
537 return fallback;
538
539 r = parse_boolean(v);
540 if (r < 0) {
541 pam_syslog(handle, LOG_ERR, "Boolean environment variable value of '%s' is not valid: %s", key, v);
542 return fallback;
543 }
544
545 return r;
546 }
547
548 static int update_environment(pam_handle_t *handle, const char *key, const char *value) {
549 int r;
550
551 assert(handle);
552 assert(key);
553
554 /* Updates the environment, but only if there's actually a value set. Also, log about errors */
555
556 if (isempty(value))
557 return PAM_SUCCESS;
558
559 r = pam_misc_setenv(handle, key, value, 0);
560 if (r != PAM_SUCCESS)
561 return pam_syslog_pam_error(handle, LOG_ERR, r,
562 "Failed to set environment variable %s: @PAMERR@", key);
563
564 return PAM_SUCCESS;
565 }
566
567 static bool validate_runtime_directory(pam_handle_t *handle, const char *path, uid_t uid) {
568 struct stat st;
569
570 assert(handle);
571 assert(path);
572
573 /* Some extra paranoia: let's not set $XDG_RUNTIME_DIR if the directory we'd set it to isn't actually
574 * set up properly for us. This is supposed to provide a careful safety net for supporting su/sudo
575 * type transitions: in that case the UID changes, but the session and thus the user owning it
576 * doesn't change. Since the $XDG_RUNTIME_DIR lifecycle is bound to the session's user being logged
577 * in at least once we should be particularly careful when setting the environment variable, since
578 * otherwise we might end up setting $XDG_RUNTIME_DIR to some directory owned by the wrong user. */
579
580 if (!path_is_absolute(path)) {
581 pam_syslog(handle, LOG_ERR, "Provided runtime directory '%s' is not absolute.", path);
582 goto fail;
583 }
584
585 if (lstat(path, &st) < 0) {
586 pam_syslog_errno(handle, LOG_ERR, errno, "Failed to stat() runtime directory '%s': %m", path);
587 goto fail;
588 }
589
590 if (!S_ISDIR(st.st_mode)) {
591 pam_syslog(handle, LOG_ERR, "Runtime directory '%s' is not actually a directory.", path);
592 goto fail;
593 }
594
595 if (st.st_uid != uid) {
596 pam_syslog(handle, LOG_ERR, "Runtime directory '%s' is not owned by UID " UID_FMT ", as it should.", path, uid);
597 goto fail;
598 }
599
600 return true;
601
602 fail:
603 pam_syslog(handle, LOG_WARNING, "Not setting $XDG_RUNTIME_DIR, as the directory is not in order.");
604 return false;
605 }
606
607 static int pam_putenv_and_log(pam_handle_t *handle, const char *e, bool debug) {
608 int r;
609
610 assert(handle);
611 assert(e);
612
613 r = pam_putenv(handle, e);
614 if (r != PAM_SUCCESS)
615 return pam_syslog_pam_error(handle, LOG_ERR, r,
616 "Failed to set PAM environment variable %s: @PAMERR@", e);
617
618 pam_debug_syslog(handle, debug, "PAM environment variable %s set based on user record.", e);
619
620 return PAM_SUCCESS;
621 }
622
623 static int apply_user_record_settings(
624 pam_handle_t *handle,
625 UserRecord *ur,
626 bool debug,
627 uint64_t default_capability_bounding_set,
628 uint64_t default_capability_ambient_set) {
629 _cleanup_strv_free_ char **langs = NULL;
630 int r;
631
632 assert(handle);
633 assert(ur);
634
635 if (ur->umask != MODE_INVALID) {
636 umask(ur->umask);
637 pam_debug_syslog(handle, debug, "Set user umask to %04o based on user record.", ur->umask);
638 }
639
640 STRV_FOREACH(i, ur->environment) {
641 r = pam_putenv_and_log(handle, *i, debug);
642 if (r != PAM_SUCCESS)
643 return r;
644 }
645
646 if (ur->email_address) {
647 _cleanup_free_ char *joined = NULL;
648
649 joined = strjoin("EMAIL=", ur->email_address);
650 if (!joined)
651 return pam_log_oom(handle);
652
653 r = pam_putenv_and_log(handle, joined, debug);
654 if (r != PAM_SUCCESS)
655 return r;
656 }
657
658 if (ur->time_zone) {
659 if (!timezone_is_valid(ur->time_zone, LOG_DEBUG))
660 pam_debug_syslog(handle, debug,
661 "Time zone specified in user record is not valid locally, not setting $TZ.");
662 else {
663 _cleanup_free_ char *joined = NULL;
664
665 joined = strjoin("TZ=:", ur->time_zone);
666 if (!joined)
667 return pam_log_oom(handle);
668
669 r = pam_putenv_and_log(handle, joined, debug);
670 if (r != PAM_SUCCESS)
671 return r;
672 }
673 }
674
675 r = user_record_languages(ur, &langs);
676 if (r < 0)
677 pam_syslog_errno(handle, LOG_ERR, r,
678 "Failed to acquire user's language preferences, ignoring: %m");
679 else if (strv_isempty(langs))
680 ; /* User has no preference set so we do nothing */
681 else if (locale_is_installed(langs[0]) <= 0)
682 pam_debug_syslog(handle, debug,
683 "Preferred languages specified in user record are not installed locally, not setting $LANG or $LANGUAGE.");
684 else {
685 _cleanup_free_ char *lang = NULL;
686
687 lang = strjoin("LANG=", langs[0]);
688 if (!lang)
689 return pam_log_oom(handle);
690
691 r = pam_putenv_and_log(handle, lang, debug);
692 if (r != PAM_SUCCESS)
693 return r;
694
695 if (strv_length(langs) > 1) {
696 _cleanup_free_ char *joined = NULL, *language = NULL;
697
698 joined = strv_join(langs, ":");
699 if (!joined)
700 return pam_log_oom(handle);
701
702 language = strjoin("LANGUAGE=", joined);
703 if (!language)
704 return pam_log_oom(handle);
705
706 r = pam_putenv_and_log(handle, language, debug);
707 if (r != PAM_SUCCESS)
708 return r;
709 }
710 }
711
712 if (nice_is_valid(ur->nice_level)) {
713 if (nice(ur->nice_level) < 0)
714 pam_syslog_errno(handle, LOG_ERR, errno,
715 "Failed to set nice level to %i, ignoring: %m", ur->nice_level);
716 else
717 pam_debug_syslog(handle, debug,
718 "Nice level set to %i, based on user record.", ur->nice_level);
719 }
720
721 for (int rl = 0; rl < _RLIMIT_MAX; rl++) {
722
723 if (!ur->rlimits[rl])
724 continue;
725
726 r = setrlimit_closest(rl, ur->rlimits[rl]);
727 if (r < 0)
728 pam_syslog_errno(handle, LOG_ERR, r,
729 "Failed to set resource limit %s, ignoring: %m", rlimit_to_string(rl));
730 else
731 pam_debug_syslog(handle, debug,
732 "Resource limit %s set, based on user record.", rlimit_to_string(rl));
733 }
734
735 uint64_t a, b;
736 a = user_record_capability_ambient_set(ur);
737 if (a == UINT64_MAX)
738 a = default_capability_ambient_set;
739
740 b = user_record_capability_bounding_set(ur);
741 if (b == UINT64_MAX)
742 b = default_capability_bounding_set;
743
744 if (a != UINT64_MAX && a != 0) {
745 a &= b;
746
747 r = capability_ambient_set_apply(a, /* also_inherit= */ true);
748 if (r < 0)
749 pam_syslog_errno(handle, LOG_ERR, r,
750 "Failed to set ambient capabilities, ignoring: %m");
751 }
752
753 if (b != UINT64_MAX && !cap_test_all(b)) {
754 r = capability_bounding_set_drop(b, /* right_now= */ false);
755 if (r < 0)
756 pam_syslog_errno(handle, LOG_ERR, r,
757 "Failed to set bounding capabilities, ignoring: %m");
758 }
759
760 return PAM_SUCCESS;
761 }
762
763 static int configure_runtime_directory(
764 pam_handle_t *handle,
765 UserRecord *ur,
766 const char *rt) {
767
768 int r;
769
770 assert(handle);
771 assert(ur);
772 assert(rt);
773
774 if (!validate_runtime_directory(handle, rt, ur->uid))
775 return PAM_SUCCESS;
776
777 r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", rt, 0);
778 if (r != PAM_SUCCESS)
779 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to set runtime dir: @PAMERR@");
780
781 return export_legacy_dbus_address(handle, rt);
782 }
783
784 static uint64_t pick_default_capability_ambient_set(
785 UserRecord *ur,
786 const char *service,
787 const char *seat) {
788
789 /* If not configured otherwise, let's enable CAP_WAKE_ALARM for regular users when logging in on a
790 * seat (i.e. when they are present physically on the device), or when invoked for the systemd --user
791 * instances. This allows desktops to install CAP_WAKE_ALARM to implement alarm clock apps without
792 * much fuss. */
793
794 return ur &&
795 user_record_disposition(ur) == USER_REGULAR &&
796 (streq_ptr(service, "systemd-user") || !isempty(seat)) ? (UINT64_C(1) << CAP_WAKE_ALARM) : UINT64_MAX;
797 }
798
799 typedef struct SessionContext {
800 const uid_t uid;
801 const pid_t pid;
802 const char *service;
803 const char *type;
804 const char *class;
805 const char *desktop;
806 const char *seat;
807 const uint32_t vtnr;
808 const char *tty;
809 const char *display;
810 const bool remote;
811 const char *remote_user;
812 const char *remote_host;
813 const char *memory_max;
814 const char *tasks_max;
815 const char *cpu_weight;
816 const char *io_weight;
817 const char *runtime_max_sec;
818 } SessionContext;
819
820 static int create_session_message(
821 sd_bus *bus,
822 pam_handle_t *handle,
823 const SessionContext *context,
824 bool avoid_pidfd,
825 sd_bus_message **ret) {
826
827 _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
828 _cleanup_close_ int pidfd = -EBADF;
829 int r;
830
831 assert(bus);
832 assert(handle);
833 assert(context);
834 assert(ret);
835
836 if (!avoid_pidfd) {
837 pidfd = pidfd_open(getpid_cached(), 0);
838 if (pidfd < 0 && !ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno))
839 return -errno;
840 }
841
842 r = bus_message_new_method_call(bus, &m, bus_login_mgr, pidfd >= 0 ? "CreateSessionWithPIDFD" : "CreateSession");
843 if (r < 0)
844 return r;
845
846 r = sd_bus_message_append(m,
847 pidfd >= 0 ? "uhsssssussbss" : "uusssssussbss",
848 (uint32_t) context->uid,
849 pidfd >= 0 ? pidfd : context->pid,
850 context->service,
851 context->type,
852 context->class,
853 context->desktop,
854 context->seat,
855 context->vtnr,
856 context->tty,
857 context->display,
858 context->remote,
859 context->remote_user,
860 context->remote_host);
861 if (r < 0)
862 return r;
863
864 if (pidfd >= 0) {
865 r = sd_bus_message_append(m, "t", UINT64_C(0));
866 if (r < 0)
867 return r;
868 }
869
870 r = sd_bus_message_open_container(m, 'a', "(sv)");
871 if (r < 0)
872 return r;
873
874 r = append_session_memory_max(handle, m, context->memory_max);
875 if (r != PAM_SUCCESS)
876 return r;
877
878 r = append_session_runtime_max_sec(handle, m, context->runtime_max_sec);
879 if (r != PAM_SUCCESS)
880 return r;
881
882 r = append_session_tasks_max(handle, m, context->tasks_max);
883 if (r != PAM_SUCCESS)
884 return r;
885
886 r = append_session_cpu_weight(handle, m, context->cpu_weight);
887 if (r != PAM_SUCCESS)
888 return r;
889
890 r = append_session_io_weight(handle, m, context->io_weight);
891 if (r != PAM_SUCCESS)
892 return r;
893
894 r = sd_bus_message_close_container(m);
895 if (r < 0)
896 return r;
897
898 *ret = TAKE_PTR(m);
899 return 0;
900 }
901
902 _public_ PAM_EXTERN int pam_sm_open_session(
903 pam_handle_t *handle,
904 int flags,
905 int argc, const char **argv) {
906
907 /* Let's release the D-Bus connection once this function exits, after all the session might live
908 * quite a long time, and we are not going to process the bus connection in that time, so let's
909 * better close before the daemon kicks us off because we are not processing anything. */
910 _cleanup_(pam_bus_data_disconnectp) PamBusData *d = NULL;
911 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
912 _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL, *reply = NULL;
913 const char
914 *id, *object_path, *runtime_path,
915 *service = NULL,
916 *tty = NULL, *display = NULL,
917 *remote_user = NULL, *remote_host = NULL,
918 *seat = NULL,
919 *type = NULL, *class = NULL,
920 *class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL, *desktop_pam = NULL,
921 *memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL, *runtime_max_sec = NULL;
922 uint64_t default_capability_bounding_set = UINT64_MAX, default_capability_ambient_set = UINT64_MAX;
923 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
924 _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
925 int session_fd = -EBADF, existing, r;
926 bool debug = false, remote, incomplete;
927 uint32_t vtnr = 0;
928 uid_t original_uid;
929
930 assert(handle);
931
932 if (parse_argv(handle,
933 argc, argv,
934 &class_pam,
935 &type_pam,
936 &desktop_pam,
937 &debug,
938 &default_capability_bounding_set,
939 &default_capability_ambient_set) < 0)
940 return PAM_SESSION_ERR;
941
942 pam_debug_syslog(handle, debug, "pam-systemd initializing");
943
944 r = acquire_user_record(handle, &ur);
945 if (r != PAM_SUCCESS)
946 return r;
947
948 /* Make most of this a NOP on non-logind systems */
949 if (!logind_running())
950 goto success;
951
952 r = pam_get_item_many(
953 handle,
954 PAM_SERVICE, &service,
955 PAM_XDISPLAY, &display,
956 PAM_TTY, &tty,
957 PAM_RUSER, &remote_user,
958 PAM_RHOST, &remote_host);
959 if (r != PAM_SUCCESS)
960 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM items: @PAMERR@");
961
962 seat = getenv_harder(handle, "XDG_SEAT", NULL);
963 cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
964 type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
965 class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
966 desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
967 incomplete = getenv_harder_bool(handle, "XDG_SESSION_INCOMPLETE", false);
968
969 if (streq_ptr(service, "systemd-user")) {
970 /* If we detect that we are running in the "systemd-user" PAM stack, then let's patch the class to
971 * 'manager' if not set, simply for robustness reasons. */
972 type = "unspecified";
973 class = IN_SET(user_record_disposition(ur), USER_INTRINSIC, USER_SYSTEM, USER_DYNAMIC) ?
974 "manager-early" : "manager";
975 tty = NULL;
976
977 } else if (tty && strchr(tty, ':')) {
978 /* A tty with a colon is usually an X11 display, placed there to show up in utmp. We rearrange things
979 * and don't pretend that an X display was a tty. */
980 if (isempty(display))
981 display = tty;
982 tty = NULL;
983
984 } else if (streq_ptr(tty, "cron")) {
985 /* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but
986 * probably because it wants to set it to something as pam_time/pam_access/… require PAM_TTY to be set
987 * (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked
988 * off processes.) */
989 type = "unspecified";
990 class = "background";
991 tty = NULL;
992
993 } else if (streq_ptr(tty, "ssh")) {
994 /* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further
995 * details look for "PAM_TTY_KLUDGE" in the openssh sources). */
996 type = "tty";
997 class = "user";
998 tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though usually
999 * associated with a pty — won't be tracked by their tty in logind. This is because ssh
1000 * does the PAM session registration early for new connections, and registers a pty only
1001 * much later (this is because it doesn't know yet if it needs one at all, as whether to
1002 * register a pty or not is negotiated much later in the protocol). */
1003
1004 } else if (tty)
1005 /* Chop off leading /dev prefix that some clients specify, but others do not. */
1006 tty = skip_dev_prefix(tty);
1007
1008 /* If this fails vtnr will be 0, that's intended */
1009 if (!isempty(cvtnr))
1010 (void) safe_atou32(cvtnr, &vtnr);
1011
1012 if (!isempty(display) && !vtnr) {
1013 if (isempty(seat))
1014 (void) get_seat_from_display(display, &seat, &vtnr);
1015 else if (streq(seat, "seat0"))
1016 (void) get_seat_from_display(display, NULL, &vtnr);
1017 }
1018
1019 if (seat && !streq(seat, "seat0") && vtnr != 0) {
1020 pam_debug_syslog(handle, debug, "Ignoring vtnr %"PRIu32" for %s which is not seat0", vtnr, seat);
1021 vtnr = 0;
1022 }
1023
1024 if (isempty(type))
1025 type = !isempty(display) ? "x11" :
1026 !isempty(tty) ? "tty" : "unspecified";
1027
1028 if (isempty(class))
1029 class = streq(type, "unspecified") ? "background" :
1030 ((IN_SET(user_record_disposition(ur), USER_INTRINSIC, USER_SYSTEM, USER_DYNAMIC) &&
1031 streq(type, "tty")) ? "user-early" : "user");
1032
1033 if (incomplete) {
1034 if (streq(class, "user"))
1035 class = "user-incomplete";
1036 else
1037 pam_syslog_pam_error(handle, LOG_WARNING, 0, "PAM session of class '%s' is incomplete, which is not supported, ignoring.", class);
1038 }
1039
1040 remote = !isempty(remote_host) && !is_localhost(remote_host);
1041
1042 r = pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
1043 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1044 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.memory_max data: @PAMERR@");
1045 r = pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
1046 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1047 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.tasks_max data: @PAMERR@");
1048 r = pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
1049 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1050 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.cpu_weight data: @PAMERR@");
1051 r = pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
1052 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1053 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.io_weight data: @PAMERR@");
1054 r = pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec);
1055 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1056 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.runtime_max_sec data: @PAMERR@");
1057
1058 /* Talk to logind over the message bus */
1059 r = pam_acquire_bus_connection(handle, "pam-systemd", &bus, &d);
1060 if (r != PAM_SUCCESS)
1061 return r;
1062
1063 pam_debug_syslog(handle, debug,
1064 "Asking logind to create session: "
1065 "uid="UID_FMT" pid="PID_FMT" service=%s type=%s class=%s desktop=%s seat=%s vtnr=%"PRIu32" tty=%s display=%s remote=%s remote_user=%s remote_host=%s",
1066 ur->uid, getpid_cached(),
1067 strempty(service),
1068 type, class, strempty(desktop),
1069 strempty(seat), vtnr, strempty(tty), strempty(display),
1070 yes_no(remote), strempty(remote_user), strempty(remote_host));
1071 pam_debug_syslog(handle, debug,
1072 "Session limits: "
1073 "memory_max=%s tasks_max=%s cpu_weight=%s io_weight=%s runtime_max_sec=%s",
1074 strna(memory_max), strna(tasks_max), strna(cpu_weight), strna(io_weight), strna(runtime_max_sec));
1075
1076 const SessionContext context = {
1077 .uid = ur->uid,
1078 .pid = 0,
1079 .service = service,
1080 .type = type,
1081 .class = class,
1082 .desktop = desktop,
1083 .seat = seat,
1084 .vtnr = vtnr,
1085 .tty = tty,
1086 .display = display,
1087 .remote = remote,
1088 .remote_user = remote_user,
1089 .remote_host = remote_host,
1090 .memory_max = memory_max,
1091 .tasks_max = tasks_max,
1092 .cpu_weight = cpu_weight,
1093 .io_weight = io_weight,
1094 .runtime_max_sec = runtime_max_sec,
1095 };
1096
1097 r = create_session_message(bus,
1098 handle,
1099 &context,
1100 /* avoid_pidfd = */ false,
1101 &m);
1102 if (r < 0)
1103 return pam_bus_log_create_error(handle, r);
1104
1105 r = sd_bus_call(bus, m, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC, &error, &reply);
1106 if (r < 0 && sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_METHOD)) {
1107 sd_bus_error_free(&error);
1108 pam_debug_syslog(handle, debug,
1109 "CreateSessionWithPIDFD() API is not available, retrying with CreateSession().");
1110
1111 m = sd_bus_message_unref(m);
1112 r = create_session_message(bus,
1113 handle,
1114 &context,
1115 /* avoid_pidfd = */ true,
1116 &m);
1117 if (r < 0)
1118 return pam_bus_log_create_error(handle, r);
1119
1120 r = sd_bus_call(bus, m, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC, &error, &reply);
1121 }
1122 if (r < 0) {
1123 if (sd_bus_error_has_name(&error, BUS_ERROR_SESSION_BUSY)) {
1124 /* We are already in a session, don't do anything */
1125 pam_debug_syslog(handle, debug,
1126 "Not creating session: %s", bus_error_message(&error, r));
1127 goto success;
1128 }
1129
1130 pam_syslog(handle, LOG_ERR,
1131 "Failed to create session: %s", bus_error_message(&error, r));
1132 return PAM_SESSION_ERR;
1133 }
1134
1135 r = sd_bus_message_read(reply,
1136 "soshusub",
1137 &id,
1138 &object_path,
1139 &runtime_path,
1140 &session_fd,
1141 &original_uid,
1142 &seat,
1143 &vtnr,
1144 &existing);
1145 if (r < 0)
1146 return pam_bus_log_parse_error(handle, r);
1147
1148 pam_debug_syslog(handle, debug,
1149 "Reply from logind: "
1150 "id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u original_uid=%u",
1151 id, object_path, runtime_path, session_fd, seat, vtnr, original_uid);
1152
1153 /* Please update manager_default_environment() in core/manager.c accordingly if more session envvars
1154 * shall be added. */
1155
1156 r = update_environment(handle, "XDG_SESSION_ID", id);
1157 if (r != PAM_SUCCESS)
1158 return r;
1159
1160 if (original_uid == ur->uid) {
1161 /* Don't set $XDG_RUNTIME_DIR if the user we now authenticated for does not match the
1162 * original user of the session. We do this in order not to result in privileged apps
1163 * clobbering the runtime directory unnecessarily. */
1164
1165 r = configure_runtime_directory(handle, ur, runtime_path);
1166 if (r != PAM_SUCCESS)
1167 return r;
1168 }
1169
1170 /* Most likely we got the session/type/class from environment variables, but might have gotten the data
1171 * somewhere else (for example PAM module parameters). Let's now update the environment variables, so that this
1172 * data is inherited into the session processes, and programs can rely on them to be initialized. */
1173
1174 r = update_environment(handle, "XDG_SESSION_TYPE", type);
1175 if (r != PAM_SUCCESS)
1176 return r;
1177
1178 r = update_environment(handle, "XDG_SESSION_CLASS", class);
1179 if (r != PAM_SUCCESS)
1180 return r;
1181
1182 r = update_environment(handle, "XDG_SESSION_DESKTOP", desktop);
1183 if (r != PAM_SUCCESS)
1184 return r;
1185
1186 r = update_environment(handle, "XDG_SEAT", seat);
1187 if (r != PAM_SUCCESS)
1188 return r;
1189
1190 if (vtnr > 0) {
1191 char buf[DECIMAL_STR_MAX(vtnr)];
1192 sprintf(buf, "%u", vtnr);
1193
1194 r = update_environment(handle, "XDG_VTNR", buf);
1195 if (r != PAM_SUCCESS)
1196 return r;
1197 }
1198
1199 r = pam_set_data(handle, "systemd.existing", INT_TO_PTR(!!existing), NULL);
1200 if (r != PAM_SUCCESS)
1201 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to install existing flag: @PAMERR@");
1202
1203 if (session_fd >= 0) {
1204 _cleanup_close_ int fd = fcntl(session_fd, F_DUPFD_CLOEXEC, 3);
1205 if (fd < 0)
1206 return pam_syslog_errno(handle, LOG_ERR, errno, "Failed to dup session fd: %m");
1207
1208 r = pam_set_data(handle, "systemd.session-fd", FD_TO_PTR(fd), NULL);
1209 if (r != PAM_SUCCESS)
1210 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to install session fd: @PAMERR@");
1211 TAKE_FD(fd);
1212 }
1213
1214 success:
1215 if (default_capability_ambient_set == UINT64_MAX)
1216 default_capability_ambient_set = pick_default_capability_ambient_set(ur, service, seat);
1217
1218 return apply_user_record_settings(handle, ur, debug, default_capability_bounding_set, default_capability_ambient_set);
1219 }
1220
1221 _public_ PAM_EXTERN int pam_sm_close_session(
1222 pam_handle_t *handle,
1223 int flags,
1224 int argc, const char **argv) {
1225
1226 const void *existing = NULL;
1227 bool debug = false;
1228 const char *id;
1229 int r;
1230
1231 assert(handle);
1232
1233 if (parse_argv(handle,
1234 argc, argv,
1235 NULL,
1236 NULL,
1237 NULL,
1238 &debug,
1239 NULL,
1240 NULL) < 0)
1241 return PAM_SESSION_ERR;
1242
1243 pam_debug_syslog(handle, debug, "pam-systemd shutting down");
1244
1245 /* Only release session if it wasn't pre-existing when we
1246 * tried to create it */
1247 r = pam_get_data(handle, "systemd.existing", &existing);
1248 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1249 return pam_syslog_pam_error(handle, LOG_ERR, r,
1250 "Failed to get PAM systemd.existing data: @PAMERR@");
1251
1252 id = pam_getenv(handle, "XDG_SESSION_ID");
1253 if (id && !existing) {
1254 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
1255 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
1256
1257 /* Before we go and close the FIFO we need to tell logind that this is a clean session
1258 * shutdown, so that it doesn't just go and slaughter us immediately after closing the fd */
1259
1260 r = pam_acquire_bus_connection(handle, "pam-systemd", &bus, NULL);
1261 if (r != PAM_SUCCESS)
1262 return r;
1263
1264 r = bus_call_method(bus, bus_login_mgr, "ReleaseSession", &error, NULL, "s", id);
1265 if (r < 0)
1266 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SESSION_ERR,
1267 "Failed to release session: %s", bus_error_message(&error, r));
1268 }
1269
1270 /* Note that we are knowingly leaking the FIFO fd here. This way, logind can watch us die. If we
1271 * closed it here it would not have any clue when that is completed. Given that one cannot really
1272 * have multiple PAM sessions open from the same process this means we will leak one FD at max. */
1273
1274 return PAM_SUCCESS;
1275 }
Unnamed repository; edit this file 'description' to name the repository.