]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/login/pam_systemd.c
projects / thirdparty / systemd.git / blob
? search:


eb8aaff251c200a057f42c1f784c6bfcbe907ae8
[thirdparty/systemd.git] / src / login / pam_systemd.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <endian.h>
4 #include <fcntl.h>
5 #include <pwd.h>
6 #include <security/_pam_macros.h>
7 #include <security/pam_ext.h>
8 #include <security/pam_misc.h>
9 #include <security/pam_modules.h>
10 #include <security/pam_modutil.h>
11 #include <sys/file.h>
12 #include "time-util.h"
13 #include <sys/stat.h>
14 #include <sys/sysmacros.h>
15 #include <unistd.h>
16
17 #include "sd-bus.h"
18 #include "sd-varlink.h"
19
20 #include "alloc-util.h"
21 #include "bus-common-errors.h"
22 #include "bus-error.h"
23 #include "bus-internal.h"
24 #include "bus-locator.h"
25 #include "cap-list.h"
26 #include "capability-util.h"
27 #include "cgroup-setup.h"
28 #include "chase.h"
29 #include "creds-util.h"
30 #include "devnum-util.h"
31 #include "errno-util.h"
32 #include "extract-word.h"
33 #include "fd-util.h"
34 #include "format-util.h"
35 #include "fs-util.h"
36 #include "hostname-util.h"
37 #include "io-util.h"
38 #include "json-util.h"
39 #include "locale-util.h"
40 #include "login-util.h"
41 #include "osc-context.h"
42 #include "pam-util.h"
43 #include "parse-util.h"
44 #include "path-util.h"
45 #include "percent-util.h"
46 #include "pidfd-util.h"
47 #include "pidref.h"
48 #include "process-util.h"
49 #include "rlimit-util.h"
50 #include "socket-util.h"
51 #include "stdio-util.h"
52 #include "string-util.h"
53 #include "strv.h"
54 #include "terminal-util.h"
55 #include "tmpfile-util.h"
56 #include "user-util.h"
57 #include "userdb.h"
58
59 #define LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC (2*USEC_PER_MINUTE)
60
61 static int parse_caps(
62 pam_handle_t *handle,
63 const char *value,
64 uint64_t *caps) {
65
66 bool subtract;
67 int r;
68
69 assert(handle);
70 assert(value);
71
72 if (value[0] == '~') {
73 subtract = true;
74 value++;
75 } else
76 subtract = false;
77
78 for (;;) {
79 _cleanup_free_ char *s = NULL;
80 uint64_t b, m;
81 int c;
82
83 /* We can't use spaces as separators here, as PAM's simplistic argument parser doesn't allow
84 * spaces inside of arguments. We use commas instead (which is similar to cap_from_text(),
85 * which also uses commas). */
86 r = extract_first_word(&value, &s, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
87 if (r < 0)
88 return r;
89 if (r == 0)
90 break;
91
92 c = capability_from_name(s);
93 if (c < 0) {
94 pam_syslog(handle, LOG_WARNING, "Unknown capability, ignoring: %s", s);
95 continue;
96 }
97
98 m = UINT64_C(1) << c;
99
100 if (!caps)
101 continue;
102
103 if (*caps == UINT64_MAX)
104 b = subtract ? all_capabilities() : 0;
105 else
106 b = *caps;
107
108 if (subtract)
109 *caps = b & ~m;
110 else
111 *caps = b | m;
112 }
113
114 return 0;
115 }
116
117 static int parse_argv(
118 pam_handle_t *handle,
119 int argc, const char **argv,
120 const char **class,
121 const char **type,
122 const char **desktop,
123 const char **area,
124 bool *debug,
125 uint64_t *default_capability_bounding_set,
126 uint64_t *default_capability_ambient_set) {
127
128 int r;
129
130 assert(handle);
131 assert(argc >= 0);
132 assert(argc == 0 || argv);
133
134 for (int i = 0; i < argc; i++) {
135 const char *p;
136
137 if ((p = startswith(argv[i], "class="))) {
138 if (class)
139 *class = p;
140
141 } else if ((p = startswith(argv[i], "type="))) {
142 if (type)
143 *type = p;
144
145 } else if ((p = startswith(argv[i], "desktop="))) {
146 if (desktop)
147 *desktop = p;
148
149 } else if ((p = startswith(argv[i], "area="))) {
150
151 if (!isempty(p) && !filename_is_valid(p))
152 pam_syslog(handle, LOG_WARNING, "Area name specified among PAM module parameters is not valid, ignoring: %m");
153 else if (area)
154 *area = p;
155
156 } else if (streq(argv[i], "debug")) {
157 if (debug)
158 *debug = true;
159
160 } else if ((p = startswith(argv[i], "debug="))) {
161 r = parse_boolean(p);
162 if (r < 0)
163 pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring: %s", p);
164 else if (debug)
165 *debug = r;
166
167 } else if ((p = startswith(argv[i], "default-capability-bounding-set="))) {
168 r = parse_caps(handle, p, default_capability_bounding_set);
169 if (r < 0)
170 pam_syslog(handle, LOG_WARNING, "Failed to parse default-capability-bounding-set= argument, ignoring: %s", p);
171
172 } else if ((p = startswith(argv[i], "default-capability-ambient-set="))) {
173 r = parse_caps(handle, p, default_capability_ambient_set);
174 if (r < 0)
175 pam_syslog(handle, LOG_WARNING, "Failed to parse default-capability-ambient-set= argument, ignoring: %s", p);
176
177 } else
178 pam_syslog(handle, LOG_WARNING, "Unknown parameter '%s', ignoring.", argv[i]);
179 }
180
181 return 0;
182 }
183
184 static int acquire_user_record(
185 pam_handle_t *handle,
186 UserRecord **ret_record) {
187
188 int r;
189
190 assert(handle);
191
192 const char *username = NULL;
193 r = pam_get_user(handle, &username, NULL);
194 if (r != PAM_SUCCESS)
195 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get user name: @PAMERR@");
196 if (isempty(username))
197 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SERVICE_ERR, "User name not valid.");
198
199 /* If pam_systemd_homed (or some other module) already acquired the user record we can reuse it
200 * here. */
201 _cleanup_free_ char *field = strjoin("systemd-user-record-", username);
202 if (!field)
203 return pam_log_oom(handle);
204
205 _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
206 const char *json = NULL;
207 r = pam_get_data(handle, field, (const void**) &json);
208 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
209 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM user record data: @PAMERR@");
210 if (r == PAM_SUCCESS && json) {
211 _cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
212
213 /* Parse cached record */
214 r = sd_json_parse(json, SD_JSON_PARSE_SENSITIVE, &v, NULL, NULL);
215 if (r < 0)
216 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to parse JSON user record: %m");
217
218 ur = user_record_new();
219 if (!ur)
220 return pam_log_oom(handle);
221
222 r = user_record_load(ur, v, USER_RECORD_LOAD_REFUSE_SECRET|USER_RECORD_PERMISSIVE);
223 if (r < 0)
224 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to load user record: %m");
225
226 /* Safety check if cached record actually matches what we are looking for */
227 if (!user_record_matches_user_name(ur, username))
228 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SERVICE_ERR,
229 "Acquired user record does not match user name.");
230 } else {
231 _cleanup_free_ char *formatted = NULL;
232
233 /* Request the record ourselves */
234 r = userdb_by_name(username, /* match= */ NULL, /* flags= */ 0, &ur);
235 if (r < 0) {
236 pam_syslog_errno(handle, LOG_ERR, r, "Failed to get user record: %m");
237 return PAM_USER_UNKNOWN;
238 }
239
240 if (!uid_is_valid(ur->uid)) {
241 pam_syslog_errno(handle, LOG_ERR, r, "User record of user '%s' has no UID, refusing: %m", username);
242 return PAM_USER_UNKNOWN;
243 }
244
245 r = sd_json_variant_format(ur->json, 0, &formatted);
246 if (r < 0)
247 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to format user JSON: %m");
248
249 /* And cache it for everyone else */
250 r = pam_set_data(handle, field, formatted, pam_cleanup_free);
251 if (r != PAM_SUCCESS)
252 return pam_syslog_pam_error(handle, LOG_ERR, r,
253 "Failed to set PAM user record data '%s': @PAMERR@", field);
254 TAKE_PTR(formatted);
255 }
256
257 if (!uid_is_valid(ur->uid))
258 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SERVICE_ERR,
259 "Acquired user record does not have a UID.");
260
261 if (ret_record)
262 *ret_record = TAKE_PTR(ur);
263
264 return PAM_SUCCESS;
265 }
266
267 static bool display_is_local(const char *display) {
268 assert(display);
269
270 return
271 display[0] == ':' &&
272 ascii_isdigit(display[1]);
273 }
274
275 static int socket_from_display(const char *display) {
276 _cleanup_free_ char *f = NULL;
277 size_t k;
278 char *c;
279 union sockaddr_union sa;
280 socklen_t sa_len;
281 _cleanup_close_ int fd = -EBADF;
282 int r;
283
284 assert(display);
285
286 if (!display_is_local(display))
287 return -EINVAL;
288
289 k = strspn(display+1, "0123456789");
290
291 /* Try abstract socket first. */
292 f = new(char, STRLEN("@/tmp/.X11-unix/X") + k + 1);
293 if (!f)
294 return -ENOMEM;
295
296 c = stpcpy(f, "@/tmp/.X11-unix/X");
297 memcpy(c, display+1, k);
298 c[k] = 0;
299
300 r = sockaddr_un_set_path(&sa.un, f);
301 if (r < 0)
302 return r;
303 sa_len = r;
304
305 fd = RET_NERRNO(socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0));
306 if (fd < 0)
307 return fd;
308
309 r = RET_NERRNO(connect(fd, &sa.sa, sa_len));
310 if (r >= 0)
311 return TAKE_FD(fd);
312 if (r != -ECONNREFUSED)
313 return r;
314
315 /* Try also non-abstract socket. */
316 r = sockaddr_un_set_path(&sa.un, f + 1);
317 if (r < 0)
318 return r;
319 sa_len = r;
320
321 r = RET_NERRNO(connect(fd, &sa.sa, sa_len));
322 if (r >= 0)
323 return TAKE_FD(fd);
324 return r;
325 }
326
327 static int get_seat_from_display(const char *display, const char **seat, uint32_t *vtnr) {
328 _cleanup_free_ char *sys_path = NULL, *tty = NULL;
329 _cleanup_close_ int fd = -EBADF;
330 struct ucred ucred;
331 int v, r;
332 dev_t display_ctty;
333
334 assert(display);
335 assert(vtnr);
336
337 /* We deduce the X11 socket from the display name, then use
338 * SO_PEERCRED to determine the X11 server process, ask for
339 * the controlling tty of that and if it's a VC then we know
340 * the seat and the virtual terminal. Sounds ugly, is only
341 * semi-ugly. */
342
343 fd = socket_from_display(display);
344 if (fd < 0)
345 return fd;
346
347 r = getpeercred(fd, &ucred);
348 if (r < 0)
349 return r;
350
351 r = get_ctty_devnr(ucred.pid, &display_ctty);
352 if (r < 0)
353 return r;
354
355 if (asprintf(&sys_path, "/sys/dev/char/" DEVNUM_FORMAT_STR, DEVNUM_FORMAT_VAL(display_ctty)) < 0)
356 return -ENOMEM;
357 r = readlink_value(sys_path, &tty);
358 if (r < 0)
359 return r;
360
361 v = vtnr_from_tty(tty);
362 if (v < 0)
363 return v;
364 assert(v > 0);
365
366 if (seat)
367 *seat = "seat0";
368 *vtnr = (uint32_t) v;
369
370 return 0;
371 }
372
373 static int export_legacy_dbus_address(
374 pam_handle_t *handle,
375 const char *runtime) {
376
377 int r;
378
379 assert(handle);
380
381 /* We need to export $DBUS_SESSION_BUS_ADDRESS because various applications will not connect
382 * correctly to the bus without it. This setting matches what dbus.socket does for the user session
383 * using 'systemctl --user set-environment'. We want to have the same configuration in processes
384 * started from the PAM session.
385 *
386 * The setting of the address is guarded by the access() check because it is also possible to compile
387 * dbus without --enable-user-session, in which case this socket is not used, and
388 * $DBUS_SESSION_BUS_ADDRESS should not be set. An alternative approach would to not do the access()
389 * check here, and let applications try on their own, by using "unix:path=%s/bus;autolaunch:". But we
390 * expect the socket to be present by the time we do this check, so we can just as well check once
391 * here. */
392
393 if (!runtime)
394 return PAM_SUCCESS;
395
396 const char *s = strjoina(runtime, "/bus");
397 if (access(s, F_OK) < 0) {
398 if (errno != ENOENT)
399 pam_syslog_errno(handle, LOG_WARNING, errno, "Failed to check if %s/bus exists, ignoring: %m", runtime);
400
401 return PAM_SUCCESS;
402 }
403
404 _cleanup_free_ char *t = NULL;
405 if (asprintf(&t, DEFAULT_USER_BUS_ADDRESS_FMT, runtime) < 0)
406 return pam_log_oom(handle);
407
408 r = pam_misc_setenv(handle, "DBUS_SESSION_BUS_ADDRESS", t, /* readonly= */ false);
409 if (r != PAM_SUCCESS)
410 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to set bus variable: @PAMERR@");
411
412 return PAM_SUCCESS;
413 }
414
415 static int append_session_memory_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
416 int r;
417
418 assert(handle);
419 assert(m);
420
421 if (isempty(limit))
422 return 0;
423
424 if (streq(limit, "infinity"))
425 return sd_bus_message_append(m, "(sv)", "MemoryMax", "t", UINT64_MAX);
426
427 r = parse_permyriad(limit);
428 if (r >= 0)
429 return sd_bus_message_append(m, "(sv)", "MemoryMaxScale", "u", UINT32_SCALE_FROM_PERMYRIAD(r));
430
431 uint64_t val;
432 r = parse_size(limit, 1024, &val);
433 if (r < 0) {
434 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.memory_max, ignoring: %s", limit);
435 return PAM_SUCCESS;
436 }
437
438 return sd_bus_message_append(m, "(sv)", "MemoryMax", "t", val);
439 }
440
441 static int append_session_runtime_max_sec(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
442 int r;
443
444 assert(handle);
445 assert(m);
446
447 /* No need to parse "infinity" here, it will be set by default later in scope_init() */
448 if (isempty(limit) || streq(limit, "infinity"))
449 return 0;
450
451 usec_t val;
452 r = parse_sec(limit, &val);
453 if (r < 0) {
454 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.runtime_max_sec: %s, ignoring.", limit);
455 return 0;
456 }
457
458 return sd_bus_message_append(m, "(sv)", "RuntimeMaxUSec", "t", (uint64_t) val);
459 }
460
461 static int append_session_tasks_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
462 int r;
463
464 assert(handle);
465 assert(m);
466
467 /* No need to parse "infinity" here, it will be set unconditionally later in manager_start_scope() */
468 if (isempty(limit) || streq(limit, "infinity"))
469 return 0;
470
471 uint64_t val;
472 r = safe_atou64(limit, &val);
473 if (r < 0) {
474 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.tasks_max, ignoring: %s", limit);
475 return 0;
476 }
477
478 return sd_bus_message_append(m, "(sv)", "TasksMax", "t", val);
479 }
480
481 static int append_session_cpu_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
482 int r;
483
484 assert(handle);
485 assert(m);
486
487 if (isempty(limit))
488 return 0;
489
490 uint64_t val;
491 r = cg_cpu_weight_parse(limit, &val);
492 if (r < 0) {
493 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.cpu_weight, ignoring: %s", limit);
494 return 0;
495 }
496
497 return sd_bus_message_append(m, "(sv)", "CPUWeight", "t", val);
498 }
499
500 static int append_session_io_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
501 int r;
502
503 assert(handle);
504 assert(m);
505
506 if (isempty(limit))
507 return 0;
508
509 uint64_t val;
510 r = cg_weight_parse(limit, &val);
511 if (r < 0) {
512 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.io_weight, ignoring: %s", limit);
513 return 0;
514 }
515
516 return sd_bus_message_append(m, "(sv)", "IOWeight", "t", val);
517 }
518
519 static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
520 const char *v;
521
522 assert(handle);
523 assert(key);
524
525 /* Looks for an environment variable, preferably in the environment block associated with the
526 * specified PAM handle, falling back to the process' block instead. Why check both? Because we want
527 * to permit configuration of session properties from unit files that invoke PAM services, so that
528 * PAM services don't have to be reworked to set systemd-specific properties, but these properties
529 * can still be set from the unit file Environment= block. */
530
531 v = pam_getenv(handle, key);
532 if (!isempty(v))
533 return v;
534
535 /* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
536 * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
537 * currently don't (to be precise, they clean up the environment they pass to their children, but
538 * not their own environ[]). */
539 v = secure_getenv(key);
540 if (!isempty(v))
541 return v;
542
543 return fallback;
544 }
545
546 static bool getenv_harder_bool(pam_handle_t *handle, const char *key, bool fallback) {
547 const char *v;
548 int r;
549
550 assert(handle);
551 assert(key);
552
553 v = getenv_harder(handle, key, NULL);
554 if (isempty(v))
555 return fallback;
556
557 r = parse_boolean(v);
558 if (r < 0) {
559 pam_syslog(handle, LOG_WARNING, "Failed to parse environment variable value '%s' of '%s', falling back to using '%s'.", v, key, true_false(fallback));
560 return fallback;
561 }
562
563 return r;
564 }
565
566 static uint32_t getenv_harder_uint32(pam_handle_t *handle, const char *key, uint32_t fallback) {
567 int r;
568
569 assert(handle);
570 assert(key);
571
572 const char *v = getenv_harder(handle, key, NULL);
573 if (isempty(v))
574 return fallback;
575
576 uint32_t u;
577 r = safe_atou32(v, &u);
578 if (r < 0) {
579 pam_syslog(handle, LOG_WARNING, "Failed to parse environment variable value '%s' of '%s' as unsigned integer, falling back to using %" PRIu32 ".", v, key, fallback);
580 return fallback;
581 }
582
583 return u;
584 }
585
586 static int update_environment(pam_handle_t *handle, const char *key, const char *value) {
587 int r;
588
589 assert(handle);
590 assert(key);
591
592 /* Updates the environment, and removes environment variables if value is NULL or empty. Also, log
593 * about errors. */
594
595 if (isempty(value)) {
596 /* Unset the variable if set. Note that pam_putenv() would log nastily behind our back if we
597 * call it without the variable actually being set. Hence we check explicitly if it's set
598 * before. */
599
600 if (!pam_getenv(handle, key))
601 return PAM_SUCCESS;
602
603 r = pam_putenv(handle, key);
604 if (!IN_SET(r, PAM_SUCCESS, PAM_BAD_ITEM))
605 return pam_syslog_pam_error(handle, LOG_WARNING, r,
606 "Failed to unset %s environment variable: @PAMERR@", key);
607
608 return PAM_SUCCESS;
609 }
610
611 r = pam_misc_setenv(handle, key, value, /* readonly= */ false);
612 if (r != PAM_SUCCESS)
613 return pam_syslog_pam_error(handle, LOG_ERR, r,
614 "Failed to set environment variable %s: @PAMERR@", key);
615
616 return PAM_SUCCESS;
617 }
618
619 static int propagate_credential_to_environment(pam_handle_t *handle, const char *credential, const char *varname) {
620 int r;
621
622 assert(handle);
623 assert(credential);
624 assert(varname);
625
626 _cleanup_free_ char *value = NULL;
627
628 /* Read a service credential, and propagate it into an environment variable */
629
630 r = read_credential(credential, (void**) &value, /* ret_size= */ NULL);
631 if (r < 0) {
632 log_debug_errno(r, "Failed to read credential '%s', ignoring: %m", credential);
633 return PAM_SUCCESS;
634 }
635
636 r = pam_misc_setenv(handle, varname, value, 0);
637 if (r != PAM_SUCCESS)
638 return pam_syslog_pam_error(handle, LOG_ERR, r,
639 "Failed to set environment variable %s: @PAMERR@", varname);
640
641 return PAM_SUCCESS;
642 }
643
644 static bool validate_runtime_directory(pam_handle_t *handle, const char *path, uid_t uid) {
645 struct stat st;
646
647 assert(handle);
648 assert(path);
649
650 /* Some extra paranoia: let's not set $XDG_RUNTIME_DIR if the directory we'd set it to isn't actually
651 * set up properly for us. This is supposed to provide a careful safety net for supporting su/sudo
652 * type transitions: in that case the UID changes, but the session and thus the user owning it
653 * doesn't change. Since the $XDG_RUNTIME_DIR lifecycle is bound to the session's user being logged
654 * in at least once we should be particularly careful when setting the environment variable, since
655 * otherwise we might end up setting $XDG_RUNTIME_DIR to some directory owned by the wrong user. */
656
657 if (!path_is_absolute(path)) {
658 pam_syslog(handle, LOG_ERR, "Provided runtime directory '%s' is not absolute.", path);
659 goto fail;
660 }
661
662 if (lstat(path, &st) < 0) {
663 pam_syslog_errno(handle, LOG_ERR, errno, "Failed to stat() runtime directory '%s': %m", path);
664 goto fail;
665 }
666
667 if (!S_ISDIR(st.st_mode)) {
668 pam_syslog(handle, LOG_ERR, "Runtime directory '%s' is not actually a directory.", path);
669 goto fail;
670 }
671
672 if (st.st_uid != uid) {
673 pam_syslog(handle, LOG_ERR, "Runtime directory '%s' is not owned by UID " UID_FMT ", as it should.", path, uid);
674 goto fail;
675 }
676
677 return true;
678
679 fail:
680 pam_syslog(handle, LOG_WARNING, "Not setting $XDG_RUNTIME_DIR, as the directory is not in order.");
681 return false;
682 }
683
684 static int pam_putenv_and_log(pam_handle_t *handle, const char *e, bool debug) {
685 int r;
686
687 assert(handle);
688 assert(e);
689
690 r = pam_putenv(handle, e);
691 if (r != PAM_SUCCESS)
692 return pam_syslog_pam_error(handle, LOG_ERR, r,
693 "Failed to set PAM environment variable %s: @PAMERR@", e);
694
695 pam_debug_syslog(handle, debug, "PAM environment variable %s set based on user record.", e);
696
697 return PAM_SUCCESS;
698 }
699
700 static int apply_user_record_settings(
701 pam_handle_t *handle,
702 UserRecord *ur,
703 bool debug,
704 uint64_t default_capability_bounding_set,
705 uint64_t default_capability_ambient_set) {
706 _cleanup_strv_free_ char **langs = NULL;
707 int r;
708
709 assert(handle);
710 assert(ur);
711
712 if (ur->umask != MODE_INVALID) {
713 umask(ur->umask);
714 pam_debug_syslog(handle, debug, "Set user umask to %04o based on user record.", ur->umask);
715 }
716
717 STRV_FOREACH(i, ur->environment) {
718 r = pam_putenv_and_log(handle, *i, debug);
719 if (r != PAM_SUCCESS)
720 return r;
721 }
722
723 if (ur->email_address) {
724 _cleanup_free_ char *joined = NULL;
725
726 joined = strjoin("EMAIL=", ur->email_address);
727 if (!joined)
728 return pam_log_oom(handle);
729
730 r = pam_putenv_and_log(handle, joined, debug);
731 if (r != PAM_SUCCESS)
732 return r;
733 }
734
735 if (ur->time_zone) {
736 if (!timezone_is_valid(ur->time_zone, LOG_DEBUG))
737 pam_debug_syslog(handle, debug,
738 "Time zone specified in user record is not valid locally, not setting $TZ.");
739 else {
740 _cleanup_free_ char *joined = NULL;
741
742 joined = strjoin("TZ=:", ur->time_zone);
743 if (!joined)
744 return pam_log_oom(handle);
745
746 r = pam_putenv_and_log(handle, joined, debug);
747 if (r != PAM_SUCCESS)
748 return r;
749 }
750 }
751
752 r = user_record_languages(ur, &langs);
753 if (r < 0)
754 pam_syslog_errno(handle, LOG_ERR, r,
755 "Failed to acquire user's language preferences, ignoring: %m");
756 else if (strv_isempty(langs))
757 ; /* User has no preference set so we do nothing */
758 else if (locale_is_installed(langs[0]) <= 0)
759 pam_debug_syslog(handle, debug,
760 "Preferred languages specified in user record are not installed locally, not setting $LANG or $LANGUAGE.");
761 else {
762 _cleanup_free_ char *lang = NULL;
763
764 lang = strjoin("LANG=", langs[0]);
765 if (!lang)
766 return pam_log_oom(handle);
767
768 r = pam_putenv_and_log(handle, lang, debug);
769 if (r != PAM_SUCCESS)
770 return r;
771
772 if (strv_length(langs) > 1) {
773 _cleanup_free_ char *joined = NULL, *language = NULL;
774
775 joined = strv_join(langs, ":");
776 if (!joined)
777 return pam_log_oom(handle);
778
779 language = strjoin("LANGUAGE=", joined);
780 if (!language)
781 return pam_log_oom(handle);
782
783 r = pam_putenv_and_log(handle, language, debug);
784 if (r != PAM_SUCCESS)
785 return r;
786 }
787 }
788
789 if (nice_is_valid(ur->nice_level)) {
790 if (nice(ur->nice_level) < 0)
791 pam_syslog_errno(handle, LOG_WARNING, errno,
792 "Failed to set nice level to %i, ignoring: %m", ur->nice_level);
793 else
794 pam_debug_syslog(handle, debug,
795 "Nice level set to %i, based on user record.", ur->nice_level);
796 }
797
798 for (int rl = 0; rl < _RLIMIT_MAX; rl++) {
799 if (!ur->rlimits[rl])
800 continue;
801
802 r = setrlimit_closest(rl, ur->rlimits[rl]);
803 if (r < 0)
804 pam_syslog_errno(handle, LOG_ERR, r,
805 "Failed to set resource limit %s, ignoring: %m", rlimit_to_string(rl));
806 else
807 pam_debug_syslog(handle, debug,
808 "Resource limit %s set, based on user record.", rlimit_to_string(rl));
809 }
810
811 uint64_t a, b;
812 a = user_record_capability_ambient_set(ur);
813 if (a == UINT64_MAX)
814 a = default_capability_ambient_set;
815
816 b = user_record_capability_bounding_set(ur);
817 if (b == UINT64_MAX)
818 b = default_capability_bounding_set;
819
820 if (a != UINT64_MAX && a != 0) {
821 a &= b;
822
823 r = capability_ambient_set_apply(a, /* also_inherit= */ true);
824 if (r < 0)
825 pam_syslog_errno(handle, LOG_ERR, r,
826 "Failed to set ambient capabilities, ignoring: %m");
827 }
828
829 if (b != UINT64_MAX && !cap_test_all(b)) {
830 r = capability_bounding_set_drop(b, /* right_now= */ false);
831 if (r < 0)
832 pam_syslog_errno(handle, LOG_ERR, r,
833 "Failed to set bounding capabilities, ignoring: %m");
834 }
835
836 return PAM_SUCCESS;
837 }
838
839 static uint64_t pick_default_capability_ambient_set(
840 UserRecord *ur,
841 const char *service,
842 const char *seat) {
843
844 /* If not configured otherwise, let's enable CAP_WAKE_ALARM for regular users when logging in on a
845 * seat (i.e. when they are present physically on the device), or when invoked for the systemd --user
846 * instances. This allows desktops to install CAP_WAKE_ALARM to implement alarm clock apps without
847 * much fuss. */
848
849 return ur &&
850 user_record_disposition(ur) == USER_REGULAR &&
851 (streq_ptr(service, "systemd-user") || !isempty(seat)) ? (UINT64_C(1) << CAP_WAKE_ALARM) : UINT64_MAX;
852 }
853
854 typedef struct SessionContext {
855 const char *service;
856 const char *type;
857 const char *class;
858 const char *desktop;
859 const char *seat;
860 uint32_t vtnr;
861 const char *tty;
862 const char *display;
863 bool remote;
864 const char *remote_user;
865 const char *remote_host;
866 const char *memory_max;
867 const char *tasks_max;
868 const char *cpu_weight;
869 const char *io_weight;
870 const char *runtime_max_sec;
871 const char *area;
872 bool incomplete;
873 } SessionContext;
874
875 static int create_session_message(
876 sd_bus *bus,
877 pam_handle_t *handle,
878 UserRecord *ur,
879 const SessionContext *context,
880 bool avoid_pidfd,
881 sd_bus_message **ret) {
882
883 _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
884 _cleanup_close_ int pidfd = -EBADF;
885 int r;
886
887 assert(bus);
888 assert(handle);
889 assert(ur);
890 assert(context);
891 assert(ret);
892
893 if (!avoid_pidfd) {
894 pidfd = pidfd_open(getpid_cached(), 0);
895 if (pidfd < 0)
896 return -errno;
897 }
898
899 r = bus_message_new_method_call(bus, &m, bus_login_mgr, pidfd >= 0 ? "CreateSessionWithPIDFD" : "CreateSession");
900 if (r < 0)
901 return r;
902
903 r = sd_bus_message_append(
904 m,
905 pidfd >= 0 ? "uhsssssussbss" : "uusssssussbss",
906 (uint32_t) ur->uid,
907 pidfd >= 0 ? pidfd : 0,
908 context->service,
909 context->type,
910 context->class,
911 context->desktop,
912 context->seat,
913 context->vtnr,
914 context->tty,
915 context->display,
916 context->remote,
917 context->remote_user,
918 context->remote_host);
919 if (r < 0)
920 return r;
921
922 if (pidfd >= 0) {
923 r = sd_bus_message_append(m, "t", UINT64_C(0));
924 if (r < 0)
925 return r;
926 }
927
928 r = sd_bus_message_open_container(m, 'a', "(sv)");
929 if (r < 0)
930 return r;
931
932 r = append_session_memory_max(handle, m, context->memory_max);
933 if (r < 0)
934 return r;
935
936 r = append_session_runtime_max_sec(handle, m, context->runtime_max_sec);
937 if (r < 0)
938 return r;
939
940 r = append_session_tasks_max(handle, m, context->tasks_max);
941 if (r < 0)
942 return r;
943
944 r = append_session_cpu_weight(handle, m, context->cpu_weight);
945 if (r < 0)
946 return r;
947
948 r = append_session_io_weight(handle, m, context->io_weight);
949 if (r < 0)
950 return r;
951
952 r = sd_bus_message_close_container(m);
953 if (r < 0)
954 return r;
955
956 *ret = TAKE_PTR(m);
957 return 0;
958 }
959
960 static void session_context_mangle(
961 pam_handle_t *handle,
962 SessionContext *c,
963 UserRecord *ur,
964 bool debug) {
965
966 assert(handle);
967 assert(c);
968 assert(ur);
969
970 if (streq_ptr(c->service, "systemd-user")) {
971 /* If we detect that we are running in the "systemd-user" PAM stack, then let's patch the class to
972 * 'manager' if not set, simply for robustness reasons. */
973 c->type = "unspecified";
974 c->class = IN_SET(user_record_disposition(ur), USER_INTRINSIC, USER_SYSTEM, USER_DYNAMIC) ?
975 "manager-early" : "manager";
976 c->tty = NULL;
977
978 } else if (c->tty && strchr(c->tty, ':')) {
979 /* A tty with a colon is usually an X11 display, placed there to show up in utmp. We rearrange things
980 * and don't pretend that an X display was a tty. */
981 if (isempty(c->display))
982 c->display = c->tty;
983 c->tty = NULL;
984
985 } else if (streq_ptr(c->tty, "cron")) {
986 /* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but
987 * probably because it wants to set it to something as pam_time/pam_access/… require PAM_TTY to be set
988 * (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked
989 * off processes.) */
990 c->type = "unspecified";
991 c->class = "background";
992 c->tty = NULL;
993
994 } else if (streq_ptr(c->tty, "ssh")) {
995 /* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further
996 * details look for "PAM_TTY_KLUDGE" in the openssh sources). */
997 c->type = "tty";
998 c->class = "user";
999 c->tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though
1000 * usually associated with a pty — won't be tracked by their tty in
1001 * logind. This is because ssh does the PAM session registration early for new
1002 * connections, and registers a pty only much later (this is because it doesn't
1003 * know yet if it needs one at all, as whether to register a pty or not is
1004 * negotiated much later in the protocol). */
1005
1006 } else if (c->tty)
1007 /* Chop off leading /dev prefix that some clients specify, but others do not. */
1008 c->tty = skip_dev_prefix(c->tty);
1009
1010 if (!isempty(c->display) && !c->vtnr) {
1011 if (isempty(c->seat))
1012 (void) get_seat_from_display(c->display, &c->seat, &c->vtnr);
1013 else if (streq(c->seat, "seat0"))
1014 (void) get_seat_from_display(c->display, /* seat= */ NULL, &c->vtnr);
1015 }
1016
1017 if (c->seat && !streq(c->seat, "seat0") && c->vtnr != 0) {
1018 pam_debug_syslog(handle, debug, "Ignoring vtnr %"PRIu32" for %s which is not seat0", c->vtnr, c->seat);
1019 c->vtnr = 0;
1020 }
1021
1022 if (isempty(c->type)) {
1023 c->type = !isempty(c->display) ? "x11" :
1024 !isempty(c->tty) ? "tty" : "unspecified";
1025 pam_debug_syslog(handle, debug, "Automatically chose session type '%s'.", c->type);
1026 }
1027
1028 if (!c->area)
1029 c->area = ur->default_area;
1030
1031 if (!isempty(c->area) && !filename_is_valid(c->area)) {
1032 pam_syslog(handle, LOG_WARNING, "Specified area '%s' is not a valid filename, ignoring area request.", c->area);
1033 c->area = NULL;
1034 }
1035
1036 if (isempty(c->class)) {
1037 c->class = streq(c->type, "unspecified") ? "background" : "user";
1038
1039 /* For non-regular users tweak the type a bit:
1040 *
1041 * - Allow root tty logins *before* systemd-user-sessions.service is run, to allow early boot
1042 * logins to debug things.
1043 *
1044 * - Non-graphical sessions shall be invoked without service manager.
1045 *
1046 * (Note that this somewhat replicates the class mangling logic on systemd-logind.service's
1047 * server side to some degree, in case clients allocate a session and don't specify a
1048 * class. This is somewhat redundant, but we need the class set up properly below.)
1049 *
1050 * For regular users also tweak the type a bit: if an area is specified at login time, switch
1051 * to light mode too. (Mostly because at the moment we do no support a per-area service
1052 * manager. Once we do, we should change this.).
1053 */
1054
1055 switch (user_record_disposition(ur)) {
1056
1057 case USER_INTRINSIC:
1058 case USER_SYSTEM:
1059 case USER_DYNAMIC:
1060 if (streq(c->class, "user"))
1061 c->class = user_record_is_root(ur) ? "user-early" :
1062 (STR_IN_SET(c->type, "x11", "wayland", "mir") ? "user" : "user-light");
1063 else if (streq(c->class, "background"))
1064 c->class = "background-light";
1065 break;
1066
1067 case USER_REGULAR:
1068 if (!isempty(c->area)) {
1069 if (streq(c->class, "user"))
1070 c->class = "user-light";
1071 else if (streq(c->class, "background"))
1072 c->class = "background-light";
1073 }
1074
1075 break;
1076
1077 default:
1078 ;
1079 }
1080
1081 pam_debug_syslog(handle, debug, "Automatically chose session class '%s'.", c->class);
1082 }
1083
1084 if (c->incomplete) {
1085 if (streq(c->class, "user"))
1086 c->class = "user-incomplete";
1087 else
1088 pam_syslog(handle, LOG_WARNING, "PAM session of class '%s' is incomplete, which is not supported, ignoring.", c->class);
1089 }
1090
1091 c->remote = !isempty(c->remote_host) && !is_localhost(c->remote_host);
1092 }
1093
1094 static bool can_use_varlink(const SessionContext *c) {
1095 /* Since PID 1 currently doesn't do Varlink right now, we cannot directly set properties for the
1096 * scope, for now. */
1097 return !c->memory_max &&
1098 !c->runtime_max_sec &&
1099 !c->tasks_max &&
1100 !c->cpu_weight &&
1101 !c->io_weight;
1102 }
1103
1104 static int register_session(
1105 pam_handle_t *handle,
1106 SessionContext *c,
1107 UserRecord *ur,
1108 bool debug,
1109 char **ret_seat,
1110 char **ret_type,
1111 char **ret_runtime_dir) {
1112
1113 int r;
1114
1115 assert(handle);
1116 assert(c);
1117 assert(ur);
1118 assert(ret_seat);
1119 assert(ret_type);
1120 assert(ret_runtime_dir);
1121
1122 /* We don't register session class none with logind */
1123 if (streq(c->class, "none")) {
1124 pam_debug_syslog(handle, debug, "Skipping logind registration for session class none.");
1125 *ret_seat = *ret_type = *ret_runtime_dir = NULL;
1126 return PAM_SUCCESS;
1127 }
1128
1129 /* Make most of this a NOP on non-logind systems */
1130 if (!logind_running()) {
1131 pam_debug_syslog(handle, debug, "Skipping logind registration as logind is not running.");
1132 *ret_seat = *ret_type = *ret_runtime_dir = NULL;
1133 return PAM_SUCCESS;
1134 }
1135
1136 pam_debug_syslog(handle, debug,
1137 "Asking logind to create session: "
1138 "uid="UID_FMT" pid="PID_FMT" service=%s type=%s class=%s desktop=%s seat=%s vtnr=%"PRIu32" tty=%s display=%s remote=%s remote_user=%s remote_host=%s",
1139 ur->uid, getpid_cached(),
1140 strempty(c->service),
1141 c->type, c->class, strempty(c->desktop),
1142 strempty(c->seat), c->vtnr, strempty(c->tty), strempty(c->display),
1143 yes_no(c->remote), strempty(c->remote_user), strempty(c->remote_host));
1144 pam_debug_syslog(handle, debug,
1145 "Session limits: "
1146 "memory_max=%s tasks_max=%s cpu_weight=%s io_weight=%s runtime_max_sec=%s",
1147 strna(c->memory_max), strna(c->tasks_max), strna(c->cpu_weight), strna(c->io_weight), strna(c->runtime_max_sec));
1148
1149 _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; /* the following variables point into this message, hence pin it for longer */
1150 _cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL; /* similar */
1151 const char *id = NULL, *object_path = NULL, *runtime_path = NULL, *real_seat = NULL;
1152 int existing = false;
1153 uint32_t original_uid = UID_INVALID, real_vtnr = 0;
1154
1155 bool done = false;
1156 if (can_use_varlink(c)) {
1157
1158 r = sd_varlink_connect_address(&vl, "/run/systemd/io.systemd.Login");
1159 if (r < 0)
1160 log_debug_errno(r, "Failed to connect to logind via Varlink, falling back to D-Bus: %m");
1161 else {
1162 r = sd_varlink_set_allow_fd_passing_output(vl, true);
1163 if (r < 0)
1164 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to enable output fd passing on Varlink socket: %m");
1165
1166 r = sd_varlink_set_relative_timeout(vl, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC);
1167 if (r < 0)
1168 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to set relative timeout on Varlink socket: %m");
1169
1170 _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL;
1171 r = pidref_set_self(&pidref);
1172 if (r < 0)
1173 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to acquire PID reference on ourselves: %m");
1174
1175 sd_json_variant *vreply = NULL;
1176 const char *error_id = NULL;
1177 r = sd_varlink_callbo(
1178 vl,
1179 "io.systemd.Login.CreateSession",
1180 &vreply,
1181 &error_id,
1182 SD_JSON_BUILD_PAIR_UNSIGNED("UID", ur->uid),
1183 JSON_BUILD_PAIR_PIDREF("PID", &pidref),
1184 JSON_BUILD_PAIR_STRING_NON_EMPTY("Service", c->service),
1185 SD_JSON_BUILD_PAIR("Type", JSON_BUILD_STRING_UNDERSCORIFY(c->type)),
1186 SD_JSON_BUILD_PAIR("Class", JSON_BUILD_STRING_UNDERSCORIFY(c->class)),
1187 JSON_BUILD_PAIR_STRING_NON_EMPTY("Desktop", c->desktop),
1188 JSON_BUILD_PAIR_STRING_NON_EMPTY("Seat", c->seat),
1189 SD_JSON_BUILD_PAIR_CONDITION(c->vtnr > 0, "VTNr", SD_JSON_BUILD_UNSIGNED(c->vtnr)),
1190 JSON_BUILD_PAIR_STRING_NON_EMPTY("TTY", c->tty),
1191 JSON_BUILD_PAIR_STRING_NON_EMPTY("Display", c->display),
1192 SD_JSON_BUILD_PAIR_BOOLEAN("Remote", c->remote),
1193 JSON_BUILD_PAIR_STRING_NON_EMPTY("RemoteUser", c->remote_user),
1194 JSON_BUILD_PAIR_STRING_NON_EMPTY("RemoteHost", c->remote_host));
1195 if (r < 0)
1196 return pam_syslog_errno(handle, LOG_ERR, r,
1197 "Failed to register session: %s", error_id);
1198 if (streq_ptr(error_id, "io.systemd.Login.AlreadySessionMember")) {
1199 /* We are already in a session, don't do anything */
1200 pam_debug_syslog(handle, debug, "Not creating session: %s", error_id);
1201 *ret_seat = *ret_type= *ret_runtime_dir = NULL;
1202 return PAM_SUCCESS;
1203 }
1204 if (error_id)
1205 return pam_syslog_errno(handle, LOG_ERR, sd_varlink_error_to_errno(error_id, vreply),
1206 "Failed to issue CreateSession() varlink call: %s", error_id);
1207
1208 struct {
1209 const char *id;
1210 const char *runtime_path;
1211 uid_t uid;
1212 const char *seat;
1213 unsigned vtnr;
1214 bool existing;
1215 } p = {
1216 .uid = UID_INVALID,
1217 };
1218
1219 static const sd_json_dispatch_field dispatch_table[] = {
1220 { "Id", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, voffsetof(p, id), SD_JSON_MANDATORY },
1221 { "RuntimePath", SD_JSON_VARIANT_STRING, json_dispatch_const_path, voffsetof(p, runtime_path), SD_JSON_MANDATORY },
1222 { "UID", _SD_JSON_VARIANT_TYPE_INVALID, sd_json_dispatch_uid_gid, voffsetof(p, uid), SD_JSON_MANDATORY },
1223 { "Seat", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, voffsetof(p, seat), 0 },
1224 { "VTNr", _SD_JSON_VARIANT_TYPE_INVALID, sd_json_dispatch_uint, voffsetof(p, vtnr), 0 },
1225 {}
1226 };
1227
1228 r = sd_json_dispatch(vreply, dispatch_table, SD_JSON_ALLOW_EXTENSIONS, &p);
1229 if (r < 0)
1230 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to parse CreateSession() reply: %m");
1231
1232 id = p.id;
1233 runtime_path = p.runtime_path;
1234 original_uid = p.uid;
1235 real_seat = p.seat;
1236 real_vtnr = p.vtnr;
1237 existing = false; /* Even on D-Bus logind only returns false these days */
1238
1239 done = true;
1240 }
1241 }
1242
1243 if (!done) {
1244 /* Let's release the D-Bus connection once we are done here, after all the session might live
1245 * quite a long time, and we are not going to process the bus connection in that time, so
1246 * let's better close before the daemon kicks us off because we are not processing
1247 * anything. */
1248 _cleanup_(pam_bus_data_disconnectp) PamBusData *d = NULL;
1249 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
1250
1251 /* Talk to logind over the message bus */
1252 r = pam_acquire_bus_connection(handle, "pam-systemd", debug, &bus, &d);
1253 if (r != PAM_SUCCESS)
1254 return r;
1255
1256 _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
1257 r = create_session_message(
1258 bus,
1259 handle,
1260 ur,
1261 c,
1262 /* avoid_pidfd = */ false,
1263 &m);
1264 if (r < 0)
1265 return pam_bus_log_create_error(handle, r);
1266
1267 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
1268 r = sd_bus_call(bus, m, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC, &error, &reply);
1269 if (r < 0 && sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_METHOD)) {
1270 sd_bus_error_free(&error);
1271 pam_debug_syslog(handle, debug,
1272 "CreateSessionWithPIDFD() API is not available, retrying with CreateSession().");
1273
1274 m = sd_bus_message_unref(m);
1275 r = create_session_message(bus,
1276 handle,
1277 ur,
1278 c,
1279 /* avoid_pidfd = */ true,
1280 &m);
1281 if (r < 0)
1282 return pam_bus_log_create_error(handle, r);
1283
1284 r = sd_bus_call(bus, m, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC, &error, &reply);
1285 }
1286 if (r < 0) {
1287 if (sd_bus_error_has_name(&error, BUS_ERROR_SESSION_BUSY)) {
1288 /* We are already in a session, don't do anything */
1289 pam_debug_syslog(handle, debug,
1290 "Not creating session: %s", bus_error_message(&error, r));
1291 *ret_seat = *ret_type = *ret_runtime_dir = NULL;
1292 return PAM_SUCCESS;
1293 }
1294
1295 pam_syslog(handle, LOG_ERR,
1296 "Failed to create session: %s", bus_error_message(&error, r));
1297 return PAM_SESSION_ERR;
1298 }
1299
1300 r = sd_bus_message_read(
1301 reply,
1302 "soshusub",
1303 &id,
1304 &object_path,
1305 &runtime_path,
1306 /* session_fd = */ NULL,
1307 &original_uid,
1308 &real_seat,
1309 &real_vtnr,
1310 &existing);
1311 if (r < 0)
1312 return pam_bus_log_parse_error(handle, r);
1313 }
1314
1315 pam_debug_syslog(handle, debug,
1316 "Reply from logind: "
1317 "id=%s object_path=%s runtime_path=%s seat=%s vtnr=%u original_uid=%u",
1318 id, strna(object_path), runtime_path, real_seat, real_vtnr, original_uid);
1319
1320 /* Please update manager_default_environment() in core/manager.c accordingly if more session envvars
1321 * shall be added. */
1322
1323 r = update_environment(handle, "XDG_SESSION_ID", id);
1324 if (r != PAM_SUCCESS)
1325 return r;
1326
1327 /* Most likely we got the session/type/class from environment variables, but might have gotten the data
1328 * somewhere else (for example PAM module parameters). Let's now update the environment variables, so that this
1329 * data is inherited into the session processes, and programs can rely on them to be initialized. */
1330
1331 _cleanup_free_ char *real_type = strdup(c->type); /* make copy because this might point to env block, which we are going to update shortly */
1332 if (!real_type)
1333 return pam_log_oom(handle);
1334
1335 r = update_environment(handle, "XDG_SESSION_TYPE", c->type);
1336 if (r != PAM_SUCCESS)
1337 return r;
1338
1339 r = update_environment(handle, "XDG_SESSION_CLASS", c->class);
1340 if (r != PAM_SUCCESS)
1341 return r;
1342
1343 r = update_environment(handle, "XDG_SESSION_DESKTOP", c->desktop);
1344 if (r != PAM_SUCCESS)
1345 return r;
1346
1347 r = update_environment(handle, "XDG_SEAT", real_seat);
1348 if (r != PAM_SUCCESS)
1349 return r;
1350
1351 if (real_vtnr > 0) {
1352 char buf[DECIMAL_STR_MAX(real_vtnr)];
1353 xsprintf(buf, "%u", real_vtnr);
1354
1355 r = update_environment(handle, "XDG_VTNR", buf);
1356 if (r != PAM_SUCCESS)
1357 return r;
1358 }
1359
1360 r = pam_set_data(handle, "systemd.existing", INT_TO_PTR(!!existing), NULL);
1361 if (r != PAM_SUCCESS)
1362 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to install existing flag: @PAMERR@");
1363
1364 /* Don't set $XDG_RUNTIME_DIR if the user we now authenticated for does not match the
1365 * original user of the session. We do this in order not to result in privileged apps
1366 * clobbering the runtime directory unnecessarily. */
1367 _cleanup_free_ char *rt = NULL;
1368 if (original_uid == ur->uid && validate_runtime_directory(handle, runtime_path, ur->uid))
1369 if (strdup_to(&rt, runtime_path) < 0)
1370 return pam_log_oom(handle);
1371
1372 /* Everything worked, hence let's patch in the data we learned. Since 'real_set' points into the
1373 * D-Bus message, let's copy it and return it as a buffer */
1374 _cleanup_free_ char *rs = NULL;
1375 if (strdup_to(&rs, real_seat) < 0)
1376 return pam_log_oom(handle);
1377
1378 c->vtnr = real_vtnr;
1379 c->seat = *ret_seat = TAKE_PTR(rs);
1380 c->type = *ret_type = TAKE_PTR(real_type);
1381 *ret_runtime_dir = TAKE_PTR(rt);
1382
1383 return PAM_SUCCESS;
1384 }
1385
1386 static int import_shell_credentials(pam_handle_t *handle) {
1387
1388 static const char *const propagate[] = {
1389 "shell.prompt.prefix", "SHELL_PROMPT_PREFIX",
1390 "shell.prompt.suffix", "SHELL_PROMPT_SUFFIX",
1391 "shell.welcome", "SHELL_WELCOME",
1392 NULL
1393 };
1394 int r;
1395
1396 assert(handle);
1397
1398 STRV_FOREACH_PAIR(k, v, propagate) {
1399 r = propagate_credential_to_environment(handle, *k, *v);
1400 if (r != PAM_SUCCESS)
1401 return r;
1402 }
1403
1404 return PAM_SUCCESS;
1405 }
1406
1407 static int mkdir_chown_open_directory(
1408 int parent_fd,
1409 const char *name,
1410 uid_t uid,
1411 gid_t gid,
1412 mode_t mode) {
1413
1414 _cleanup_free_ char *t = NULL;
1415 int r;
1416
1417 assert(parent_fd >= 0);
1418 assert(name);
1419 assert(uid_is_valid(uid));
1420 assert(gid_is_valid(gid));
1421 assert(mode != MODE_INVALID);
1422
1423 for (unsigned attempt = 0;; attempt++) {
1424 _cleanup_close_ int fd = openat(parent_fd, name, O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
1425 if (fd >= 0)
1426 return TAKE_FD(fd);
1427 if (errno != ENOENT)
1428 return -errno;
1429
1430 /* Let's create the directory under a temporary name first, since we want to make sure that
1431 * once it appears under the right name it has the right ownership */
1432 r = tempfn_random(name, /* extra= */ NULL, &t);
1433 if (r < 0)
1434 return r;
1435
1436 fd = open_mkdir_at(parent_fd, t, O_CLOEXEC|O_EXCL, 0700); /* Use restrictive mode until ownership is in order */
1437 if (fd < 0)
1438 return fd;
1439
1440 r = RET_NERRNO(fchown(fd, uid, gid));
1441 if (r < 0)
1442 goto fail;
1443
1444 r = RET_NERRNO(fchmod(fd, mode));
1445 if (r < 0)
1446 goto fail;
1447
1448 r = rename_noreplace(parent_fd, t, parent_fd, name);
1449 if (r >= 0)
1450 return TAKE_FD(fd);
1451 if (r != -EEXIST || attempt >= 5)
1452 goto fail;
1453
1454 /* Maybe some other login attempt created the directory at the same time? Let's retry */
1455 (void) unlinkat(parent_fd, t, AT_REMOVEDIR);
1456 t = mfree(t);
1457 }
1458
1459 fail:
1460 (void) unlinkat(parent_fd, ASSERT_PTR(t), AT_REMOVEDIR);
1461 return r;
1462 }
1463
1464 static int make_area_runtime_directory(
1465 pam_handle_t *handle,
1466 UserRecord *ur,
1467 const char *runtime_directory,
1468 const char *area,
1469 char **ret) {
1470
1471 assert(handle);
1472 assert(ur);
1473 assert(runtime_directory);
1474 assert(area);
1475 assert(ret);
1476
1477 /* Let's be careful with creating these directories, the runtime directory is owned by the user after all,
1478 * and they might play symlink games with us. */
1479
1480 _cleanup_close_ int fd = open(runtime_directory, O_CLOEXEC|O_PATH|O_DIRECTORY);
1481 if (fd < 0)
1482 return pam_syslog_errno(handle, LOG_ERR, errno, "Unable to open runtime directory '%s': %m", runtime_directory);
1483
1484 _cleanup_close_ int fd_areas = mkdir_chown_open_directory(fd, "Areas", ur->uid, user_record_gid(ur), 0755);
1485 if (fd_areas < 0)
1486 return pam_syslog_errno(handle, LOG_ERR, fd_areas, "Unable to create 'Areas' directory below '%s': %m", runtime_directory);
1487
1488 _cleanup_close_ int fd_area = mkdir_chown_open_directory(fd_areas, area, ur->uid, user_record_gid(ur), 0755);
1489 if (fd_area < 0)
1490 return pam_syslog_errno(handle, LOG_ERR, fd_area, "Unable to create '%s' directory below '%s/Areas': %m", area, runtime_directory);
1491
1492 char *j = path_join(runtime_directory, "Areas", area);
1493 if (!j)
1494 return pam_log_oom(handle);
1495
1496 *ret = j;
1497 return 0;
1498 }
1499
1500 static int setup_environment(
1501 pam_handle_t *handle,
1502 UserRecord *ur,
1503 const char *runtime_directory,
1504 const char *area,
1505 bool debug) {
1506
1507 int r;
1508
1509 assert(handle);
1510 assert(ur);
1511
1512 const char *h = ASSERT_PTR(user_record_home_directory(ur));
1513
1514 /* If an empty area string is specified, this means an explicit: do not use the area logic, normalize this here */
1515 area = empty_to_null(area);
1516
1517 _cleanup_free_ char *ha = NULL, *area_copy = NULL;
1518 if (area) {
1519 _cleanup_free_ char *j = path_join(h, "Areas", area);
1520 if (!j)
1521 return pam_log_oom(handle);
1522
1523 _cleanup_close_ int fd = -EBADF;
1524 r = chase(j, /* root= */ NULL, CHASE_MUST_BE_DIRECTORY, &ha, &fd);
1525 if (r < 0) {
1526 /* Log the precise error */
1527 pam_syslog_errno(handle, LOG_WARNING, r, "Path '%s' of requested user area '%s' is not accessible, reverting to regular home directory: %m", j, area);
1528
1529 /* Also tell the user directly at login, but a bit more vague */
1530 pam_info(handle, "Path '%s' of requested user area '%s' is not accessible, reverting to regular home directory.", j, area);
1531 area = NULL;
1532 } else {
1533 /* Validate that the target is definitely owned by user */
1534 struct stat st;
1535 if (fstat(fd, &st) < 0)
1536 return pam_syslog_errno(handle, LOG_ERR, errno, "Unable to fstat() target area directory '%s': %m", ha);
1537
1538 if (st.st_uid != ur->uid) {
1539 pam_syslog(handle, LOG_ERR, "Path '%s' of requested user area '%s' is not owned by user, reverting to regular home directory.", ha, area);
1540
1541 /* Also tell the user directly at login. */
1542 pam_info(handle, "Path '%s' of requested user area '%s' is not owned by user, reverting to regular home directory.", ha, area);
1543 area = NULL;
1544 } else {
1545 /* All good, now make a copy of the area string, since we quite likely are
1546 * going to invalidate it (if it points into the environment block), via the
1547 * update_environment() call below */
1548 area_copy = strdup(area);
1549 if (!area_copy)
1550 return pam_log_oom(handle);
1551
1552 pam_debug_syslog(handle, debug, "Area '%s' selected, setting $HOME to '%s'.", area, ha);
1553 h = ha;
1554 area = area_copy;
1555 }
1556 }
1557 }
1558
1559 r = update_environment(handle, "XDG_AREA", area);
1560 if (r != PAM_SUCCESS)
1561 return r;
1562
1563 r = update_environment(handle, "HOME", h);
1564 if (r != PAM_SUCCESS)
1565 return r;
1566
1567 _cleanup_free_ char *per_area_runtime_directory = NULL;
1568 if (runtime_directory && area) {
1569 /* Also create a per-area subdirectory for $XDG_RUNTIME_DIR, so that each area has their own
1570 * set of runtime services. We follow the same directory structure as for $HOME. Note that we
1571 * do not define any form of automatic clean-up for the per-aera subdirs beyond the regular
1572 * clean-up of the whole $XDG_RUNTIME_DIRECTORY hierarchy when the user finally logs out. */
1573
1574 r = make_area_runtime_directory(handle, ur, runtime_directory, area, &per_area_runtime_directory);
1575 if (r != PAM_SUCCESS)
1576 return r;
1577
1578 runtime_directory = per_area_runtime_directory;
1579 }
1580
1581 r = update_environment(handle, "XDG_RUNTIME_DIR", runtime_directory);
1582 if (r != PAM_SUCCESS)
1583 return r;
1584
1585 return export_legacy_dbus_address(handle, runtime_directory);
1586 }
1587
1588 static int open_osc_context(pam_handle_t *handle, const char *session_type, UserRecord *ur) {
1589 int r;
1590
1591 assert(handle);
1592 assert(ur);
1593
1594 /* If this is a TTY session, then output the session start OSC sequence */
1595
1596 if (!streq_ptr(session_type, "tty"))
1597 return PAM_SUCCESS;
1598
1599 const char *e = pam_getenv(handle, "TERM");
1600 if (!e)
1601 e = getenv("TERM");
1602 if (streq_ptr(e, "dumb"))
1603 return PAM_SUCCESS;
1604
1605 /* NB: we output directly to stdout, instead of going via pam_info() or so, because that's too
1606 * high-level for us, as it suffixes the output with a newline, expecting a full blown text message
1607 * as prompt string, not just an ANSI sequence. Note that PAM's conv_misc() actually goes to stdout
1608 * anyway, hence let's do so here too, but only after careful validation. */
1609 if (!isatty_safe(STDOUT_FILENO))
1610 return PAM_SUCCESS;
1611
1612 /* Keep a reference to the TTY we are operating on, so that we can issue the OSC close sequence also
1613 * if the TTY is already closed. We use an O_PATH reference here, rather than a properly opened fd,
1614 * so that we don't delay tty hang-up. */
1615 _cleanup_close_ int tty_opath_fd = fd_reopen(STDOUT_FILENO, O_PATH|O_CLOEXEC);
1616 if (tty_opath_fd < 0)
1617 pam_syslog_errno(handle, LOG_DEBUG, tty_opath_fd, "Failed to pin TTY, ignoring: %m");
1618 else
1619 tty_opath_fd = fd_move_above_stdio(tty_opath_fd);
1620
1621 _cleanup_free_ char *osc = NULL;
1622 sd_id128_t osc_id;
1623 r = osc_context_open_session(
1624 ur->user_name,
1625 pam_getenv(handle, "XDG_SESSION_ID"),
1626 &osc,
1627 &osc_id);
1628 if (r < 0)
1629 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to prepare OSC sequence: %m");
1630
1631 r = loop_write(STDOUT_FILENO, osc, SIZE_MAX);
1632 if (r < 0)
1633 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to write OSC sequence to TTY: %m");
1634
1635 /* Remember the OSC context id, so that we can close it cleanly later */
1636 _cleanup_free_ sd_id128_t *osc_id_copy = newdup(sd_id128_t, &osc_id, 1);
1637 if (!osc_id_copy)
1638 return pam_log_oom(handle);
1639
1640 r = pam_set_data(handle, "systemd.osc-context-id", osc_id_copy, pam_cleanup_free);
1641 if (r != PAM_SUCCESS)
1642 return pam_syslog_pam_error(handle, LOG_ERR, r,
1643 "Failed to set PAM OSC sequence ID data: @PAMERR@");
1644
1645 TAKE_PTR(osc_id_copy);
1646
1647 if (tty_opath_fd >= 0) {
1648 r = pam_set_data(handle, "systemd.osc-context-fd", FD_TO_PTR(tty_opath_fd), pam_cleanup_close);
1649 if (r != PAM_SUCCESS)
1650 return pam_syslog_pam_error(handle, LOG_ERR, r,
1651 "Failed to set PAM OSC sequence fd data: @PAMERR@");
1652
1653 TAKE_FD(tty_opath_fd);
1654 }
1655
1656 return PAM_SUCCESS;
1657 }
1658
1659 static int close_osc_context(pam_handle_t *handle) {
1660 int r;
1661
1662 assert(handle);
1663
1664 const void *p;
1665 int tty_opath_fd = -EBADF;
1666 r = pam_get_data(handle, "systemd.osc-context-fd", &p);
1667 if (r == PAM_SUCCESS)
1668 tty_opath_fd = PTR_TO_FD(p);
1669 else if (r != PAM_NO_MODULE_DATA)
1670 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM OSC context fd: @PAMERR@");
1671 if (tty_opath_fd < 0)
1672 return PAM_SUCCESS;
1673
1674 const sd_id128_t *osc_id = NULL;
1675 r = pam_get_data(handle, "systemd.osc-context-id", (const void**) &osc_id);
1676 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1677 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM OSC context id data: @PAMERR@");
1678 if (!osc_id)
1679 return PAM_SUCCESS;
1680
1681 /* Now open the original TTY again, so that we can write on it */
1682 _cleanup_close_ int fd = fd_reopen(tty_opath_fd, O_WRONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
1683 if (fd < 0) {
1684 pam_syslog_errno(handle, LOG_DEBUG, fd, "Failed to reopen TTY, ignoring: %m");
1685 return PAM_SUCCESS;
1686 }
1687
1688 /* /bin/login calls us with fds 0, 1, 2 closed, which is just weird. Let's step outside of that
1689 * range, just in case pam_syslog() or so logs to stderr */
1690 fd = fd_move_above_stdio(fd);
1691
1692 /* Safety check, let's verify this is a valid TTY we just opened */
1693 if (!isatty_safe(fd))
1694 return PAM_SUCCESS;
1695
1696 _cleanup_free_ char *osc = NULL;
1697 r = osc_context_close(*osc_id, &osc);
1698 if (r < 0)
1699 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to prepare OSC sequence: %m");
1700
1701 r = loop_write(fd, osc, SIZE_MAX);
1702 if (r < 0)
1703 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to write OSC sequence to TTY: %m");
1704
1705 return PAM_SUCCESS;
1706 }
1707
1708 _public_ PAM_EXTERN int pam_sm_open_session(
1709 pam_handle_t *handle,
1710 int flags,
1711 int argc, const char **argv) {
1712
1713 int r;
1714
1715 assert(handle);
1716
1717 pam_log_setup();
1718
1719 uint64_t default_capability_bounding_set = UINT64_MAX, default_capability_ambient_set = UINT64_MAX;
1720 const char *class_pam = NULL, *type_pam = NULL, *desktop_pam = NULL, *area_pam = NULL;
1721 bool debug = false;
1722 if (parse_argv(handle,
1723 argc, argv,
1724 &class_pam,
1725 &type_pam,
1726 &desktop_pam,
1727 &area_pam,
1728 &debug,
1729 &default_capability_bounding_set,
1730 &default_capability_ambient_set) < 0)
1731 return PAM_SESSION_ERR;
1732
1733 pam_debug_syslog(handle, debug, "pam-systemd initializing");
1734
1735 _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
1736 r = acquire_user_record(handle, &ur);
1737 if (r != PAM_SUCCESS)
1738 return r;
1739
1740 SessionContext c = {};
1741 r = pam_get_item_many(
1742 handle,
1743 PAM_SERVICE, &c.service,
1744 PAM_XDISPLAY, &c.display,
1745 PAM_TTY, &c.tty,
1746 PAM_RUSER, &c.remote_user,
1747 PAM_RHOST, &c.remote_host);
1748 if (r != PAM_SUCCESS)
1749 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM items: @PAMERR@");
1750
1751 c.seat = getenv_harder(handle, "XDG_SEAT", NULL);
1752 c.vtnr = getenv_harder_uint32(handle, "XDG_VTNR", 0);
1753 c.type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
1754 c.class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
1755 c.desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
1756 c.area = getenv_harder(handle, "XDG_AREA", area_pam);
1757 c.incomplete = getenv_harder_bool(handle, "XDG_SESSION_INCOMPLETE", false);
1758
1759 r = pam_get_data_many(
1760 handle,
1761 "systemd.memory_max", &c.memory_max,
1762 "systemd.tasks_max", &c.tasks_max,
1763 "systemd.cpu_weight", &c.cpu_weight,
1764 "systemd.io_weight", &c.io_weight,
1765 "systemd.runtime_max_sec", &c.runtime_max_sec);
1766 if (r != PAM_SUCCESS)
1767 return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM data: @PAMERR@");
1768
1769 session_context_mangle(handle, &c, ur, debug);
1770
1771 _cleanup_free_ char *seat_buffer = NULL, *type_buffer = NULL, *runtime_dir = NULL;
1772 r = register_session(handle, &c, ur, debug, &seat_buffer, &type_buffer, &runtime_dir);
1773 if (r != PAM_SUCCESS)
1774 return r;
1775
1776 r = import_shell_credentials(handle);
1777 if (r != PAM_SUCCESS)
1778 return r;
1779
1780 r = setup_environment(handle, ur, runtime_dir, c.area, debug);
1781 if (r != PAM_SUCCESS)
1782 return r;
1783
1784 if (default_capability_ambient_set == UINT64_MAX)
1785 default_capability_ambient_set = pick_default_capability_ambient_set(ur, c.service, c.seat);
1786
1787 r = apply_user_record_settings(handle, ur, debug, default_capability_bounding_set, default_capability_ambient_set);
1788 if (r != PAM_SUCCESS)
1789 return r;
1790
1791 return open_osc_context(handle, c.type, ur);
1792 }
1793
1794 _public_ PAM_EXTERN int pam_sm_close_session(
1795 pam_handle_t *handle,
1796 int flags,
1797 int argc, const char **argv) {
1798
1799 const void *existing = NULL;
1800 bool debug = false;
1801 const char *id;
1802 int r;
1803
1804 assert(handle);
1805
1806 pam_log_setup();
1807
1808 if (parse_argv(handle,
1809 argc, argv,
1810 /* class= */ NULL,
1811 /* type= */ NULL,
1812 /* desktop= */ NULL,
1813 /* area= */ NULL,
1814 &debug,
1815 /* default_capability_bounding_set */ NULL,
1816 /* default_capability_ambient_set= */ NULL) < 0)
1817 return PAM_SESSION_ERR;
1818
1819 pam_debug_syslog(handle, debug, "pam-systemd shutting down");
1820
1821 /* Only release session if it wasn't pre-existing when we
1822 * tried to create it */
1823 r = pam_get_data(handle, "systemd.existing", &existing);
1824 if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
1825 return pam_syslog_pam_error(handle, LOG_ERR, r,
1826 "Failed to get PAM systemd.existing data: @PAMERR@");
1827
1828 (void) close_osc_context(handle);
1829
1830 id = pam_getenv(handle, "XDG_SESSION_ID");
1831 if (id && !existing) {
1832 _cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
1833 bool done = false;
1834
1835 r = sd_varlink_connect_address(&vl, "/run/systemd/io.systemd.Login");
1836 if (r < 0)
1837 log_debug_errno(r, "Failed to connect to logind via Varlink, falling back to D-Bus: %m");
1838 else {
1839 _cleanup_(sd_json_variant_unrefp) sd_json_variant *vreply = NULL;
1840 const char *error_id = NULL;
1841 r = sd_varlink_callbo(
1842 vl,
1843 "io.systemd.Login.ReleaseSession",
1844 /* ret_reply= */ NULL,
1845 &error_id,
1846 SD_JSON_BUILD_PAIR_STRING("Id", id));
1847 if (r < 0)
1848 return pam_syslog_errno(handle, LOG_ERR, r, "Failed to register session: %s", error_id);
1849 if (error_id)
1850 return pam_syslog_errno(handle, LOG_ERR, sd_varlink_error_to_errno(error_id, vreply),
1851 "Failed to issue ReleaseSession() varlink call: %s", error_id);
1852
1853 done = true;
1854 }
1855
1856 if (!done) {
1857 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
1858 _cleanup_(pam_bus_data_disconnectp) PamBusData *d = NULL;
1859 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
1860
1861 /* Before we go and close the FIFO we need to tell logind that this is a clean session
1862 * shutdown, so that it doesn't just go and slaughter us immediately after closing the fd */
1863
1864 r = pam_acquire_bus_connection(handle, "pam-systemd", debug, &bus, &d);
1865 if (r != PAM_SUCCESS)
1866 return r;
1867
1868 r = bus_call_method(bus, bus_login_mgr, "ReleaseSession", &error, NULL, "s", id);
1869 if (r < 0)
1870 return pam_syslog_pam_error(handle, LOG_ERR, PAM_SESSION_ERR,
1871 "Failed to release session: %s", bus_error_message(&error, r));
1872 }
1873 }
1874
1875 return PAM_SUCCESS;
1876 }
Unnamed repository; edit this file 'description' to name the repository.