[thirdparty/systemd.git] / src / pam-module.c

/*-*- Mode: C; c-basic-offset: 8 -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <fcntl.h>
#include <sys/file.h>
#include <pwd.h>
#include <endian.h>

#include <security/pam_modules.h>
#include <security/_pam_macros.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
#include <security/pam_misc.h>

#include "util.h"
#include "cgroup-util.h"
#include "macro.h"
#include "sd-daemon.h"

static int parse_argv(pam_handle_t *handle,
                      int argc, const char **argv,
                      bool *create_session,
                      bool *kill_session,
                      bool *kill_user) {

        unsigned i;

        assert(argc >= 0);
        assert(argc == 0 || argv);

        for (i = 0; i < (unsigned) argc; i++) {
                int k;

                if (startswith(argv[i], "create-session=")) {
                        if ((k = parse_boolean(argv[i] + 15)) < 0) {
                                pam_syslog(handle, LOG_ERR, "Failed to parse create-session= argument.");
                                return k;
                        }

                        if (create_session)
                                *create_session = k;
                } else if (startswith(argv[i], "kill-session=")) {
                        if ((k = parse_boolean(argv[i] + 13)) < 0) {
                                pam_syslog(handle, LOG_ERR, "Failed to parse kill-session= argument.");
                                return k;
                        }

                        if (kill_session)
                                *kill_session = k;

                } else if (startswith(argv[i], "kill-user=")) {
                        if ((k = parse_boolean(argv[i] + 10)) < 0) {
                                pam_syslog(handle, LOG_ERR, "Failed to parse kill-user= argument.");
                                return k;
                        }

                        if (kill_user)
                                *kill_user = k;
                } else {
                        pam_syslog(handle, LOG_ERR, "Unknown parameter '%s'.", argv[i]);
                        return -EINVAL;
                }
        }

        if (kill_session && *kill_session && kill_user)
                *kill_user = true;

        return 0;
}

static int open_file_and_lock(const char *fn) {
        int fd;

        assert(fn);

        if ((fd = open(fn, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_CREAT, 0600)) < 0)
                return -errno;

        /* The BSD socket semantics are a lot nicer than those of
         * POSIX locks. Which is why we use flock() here. BSD locking
         * does not work across NFS which however is not needed here
         * as the filesystems in question should be local, and only
         * locally accessible, and most likely even tmpfs. */

        if (flock(fd, LOCK_EX) < 0)
                return -errno;

        return fd;
}

enum {
        SESSION_ID_AUDIT = 'a',
        SESSION_ID_COUNTER = 'c',
        SESSION_ID_RANDOM = 'r'
};

static uint64_t get_session_id(int *mode) {
        char *s;
        int fd;

        assert(mode);

        /* First attempt: let's use the session ID of the audit
         * system, if it is available. */
        if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
                uint32_t u;
                int r;

                r = safe_atou32(s, &u);
                free(s);

                if (r >= 0 && u != (uint32_t) -1) {
                        *mode = SESSION_ID_AUDIT;
                        return (uint64_t) u;
                }
        }

        /* Second attempt, use our own counter. */
        if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) {
                uint64_t counter;
                ssize_t r;

                /* We do a bit of endianess swapping here, just to be
                 * sure. /var should be machine specific anyway, and
                 * /var/run even mounted from tmpfs, so this
                 * byteswapping should really not be necessary. But
                 * then again, you never know, so let's avoid any
                 * risk. */

                if (loop_read(fd, &counter, sizeof(counter), false) != sizeof(counter))
                        counter = 1;
                else
                        counter = le64toh(counter) + 1;

                if (lseek(fd, 0, SEEK_SET) == 0) {
                        uint64_t swapped = htole64(counter);

                        r = loop_write(fd, &swapped, sizeof(swapped), false);

                        if (r != sizeof(swapped))
                                r = -EIO;
                } else
                        r = -errno;

                close_nointr_nofail(fd);

                if (r >= 0) {
                        *mode = SESSION_ID_COUNTER;
                        return counter;
                }
        }

        *mode = SESSION_ID_RANDOM;

        /* Last attempt, pick a random value */
        return (uint64_t) random_ull();
}
static int get_user_data(
                pam_handle_t *handle,
                const char **ret_username,
                struct passwd **ret_pw) {

        const char *username;
        struct passwd *pw;
        int r;

        assert(handle);
        assert(ret_username);
        assert(ret_pw);

        if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) {
                pam_syslog(handle, LOG_ERR, "Failed to get user name.");
                return r;
        }

        if (!username || !*username) {
                pam_syslog(handle, LOG_ERR, "User name not valid.");
                return PAM_AUTH_ERR;
        }

        if (!(pw = pam_modutil_getpwnam(handle, username))) {
                pam_syslog(handle, LOG_ERR, "Failed to get user data.");
                return PAM_USER_UNKNOWN;
        }

        *ret_pw = pw;
        *ret_username = username;

        return PAM_SUCCESS;
}

static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach, bool remember) {
        int r;

        assert(handle);
        assert(group);

        if (attach)
                r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, group, 0);
        else
                r = cg_create(SYSTEMD_CGROUP_CONTROLLER, group);

        if (r < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to create cgroup: %s", strerror(-r));
                return PAM_SESSION_ERR;
        }

        if (r > 0 && remember) {
                /* Remember that it was us who created this group, and
                 * that hence we need to remove it too. This is a
                 * protection against removing the cgroup when run
                 * recursively. */
                if ((r = pam_set_data(handle, "systemd.created", INT_TO_PTR(1), NULL)) != PAM_SUCCESS) {
                        pam_syslog(handle, LOG_ERR, "Failed to install created variable.");
                        return r;
                }
        }

        if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 ||
            (r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r));
                return PAM_SESSION_ERR;
        }

        return PAM_SUCCESS;
}

_public_ PAM_EXTERN int pam_sm_open_session(
                pam_handle_t *handle,
                int flags,
                int argc, const char **argv) {

        const char *username = NULL;
        struct passwd *pw;
        int r;
        char *buf = NULL;
        int lock_fd = -1;
        bool create_session = true;

        assert(handle);

        /* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */

        if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0)
                return PAM_SESSION_ERR;

        /* Make this a NOP on non-systemd systems */
        if (sd_booted() <= 0)
                return PAM_SUCCESS;

        if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
                goto finish;

        if (safe_mkdir(RUNTIME_DIR "/user", 0755, 0, 0) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to create runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        }

        if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        }

        /* Create /var/run/$USER */
        free(buf);
        if (asprintf(&buf, RUNTIME_DIR "/user/%s", username) < 0) {
                r = PAM_BUF_ERR;
                goto finish;
        }

        if (safe_mkdir(buf, 0700, pw->pw_uid, pw->pw_gid) < 0) {
                pam_syslog(handle, LOG_WARNING, "Failed to create runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        } else if ((r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", buf, 0)) != PAM_SUCCESS) {
                pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
                goto finish;
        }

        free(buf);
        buf = NULL;

        if (create_session) {
                const char *id;

                /* Reuse or create XDG session ID */
                if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
                        int mode;

                        if (asprintf(&buf, "%llux", (unsigned long long) get_session_id(&mode)) < 0) {
                                r = PAM_BUF_ERR;
                                goto finish;
                        }

                        /* To avoid id clashes we add the session id
                         * source to our session ids. Note that the
                         * session id source might change during
                         * runtime, because a filesystem became
                         * writable or the system reconfigured. */
                        buf[strlen(buf)-1] =
                                mode != SESSION_ID_AUDIT ? (char) mode : 0;

                        if ((r = pam_misc_setenv(handle, "XDG_SESSION_ID", buf, 0)) != PAM_SUCCESS) {
                                pam_syslog(handle, LOG_ERR, "Failed to set session id.");
                                goto finish;
                        }

                        if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
                                pam_syslog(handle, LOG_ERR, "Failed to get session id.");
                                r = PAM_SESSION_ERR;
                                goto finish;
                        }
                }

                r = asprintf(&buf, "/user/%s/%s", username, id);
        } else
                r = asprintf(&buf, "/user/%s/no-session", username);

        if (r < 0) {
                r = PAM_BUF_ERR;
                goto finish;
        }

        pam_syslog(handle, LOG_INFO, "Moving new user session for %s into control group %s.", username, buf);

        if ((r = create_user_group(handle, buf, pw, true, true)) != PAM_SUCCESS)
                goto finish;

        r = PAM_SUCCESS;

finish:
        free(buf);

        if (lock_fd >= 0)
                close_nointr_nofail(lock_fd);

        return r;
}

static int session_remains(pam_handle_t *handle, const char *user_path) {
        int r;
        bool remains = false;
        DIR *d;
        char *subgroup;

        if ((r = cg_enumerate_subgroups(SYSTEMD_CGROUP_CONTROLLER, user_path, &d)) < 0)
                return r;

        while ((r = cg_read_subgroup(d, &subgroup)) > 0) {

                remains = !streq(subgroup, "no-session");
                free(subgroup);

                if (remains)
                        break;
        }

        closedir(d);

        if (r < 0)
                return r;

        return !!remains;
}

_public_ PAM_EXTERN int pam_sm_close_session(
                pam_handle_t *handle,
                int flags,
                int argc, const char **argv) {

        const char *username = NULL;
        bool kill_session = false;
        bool kill_user = false;
        int lock_fd = -1, r;
        char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
        const char *id;
        struct passwd *pw;
        const void *created = NULL;

        assert(handle);

        if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user) < 0)
                return PAM_SESSION_ERR;

        /* Make this a NOP on non-systemd systems */
        if (sd_booted() <= 0)
                return PAM_SUCCESS;

        if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
                goto finish;

        if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
                pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
                r = PAM_SYSTEM_ERR;
                goto finish;
        }

        /* We are probably still in some session/no-session dir. Move ourselves out of the way as first step */
        if ((r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, "/user", 0)) < 0)
                pam_syslog(handle, LOG_ERR, "Failed to move us away: %s", strerror(-r));

        if (asprintf(&user_path, "/user/%s", username) < 0) {
                r = PAM_BUF_ERR;
                goto finish;
        }

        pam_get_data(handle, "systemd.created", &created);

        if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) {

                if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 ||
                    asprintf(&nosession_path, "/user/%s/no-session", username) < 0) {
                        r = PAM_BUF_ERR;
                        goto finish;
                }

                if (kill_session)  {
                        pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);

                        /* Kill processes in session cgroup, and delete it */
                        if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r));
                } else {
                        pam_syslog(handle, LOG_INFO, "Moving remaining processes of user session %s of %s into control group %s.", id, username, nosession_path);

                        /* Migrate processes from session to
                         * no-session cgroup. First, try to create the
                         * no-session group in case it doesn't exist
                         * yet. Also, delete the session group. */
                        create_user_group(handle, nosession_path, pw, false, false);

                        if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r));
                }
        }

        /* GC user tree */
        cg_trim(SYSTEMD_CGROUP_CONTROLLER, user_path, false);

        if ((r = session_remains(handle, user_path)) < 0)
                pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));

        /* Kill user processes not attached to any session */
        if (kill_user && r == 0) {

                /* Kill no-session cgroup */
                if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
                        pam_syslog(handle, LOG_ERR, "Failed to kill user cgroup: %s", strerror(-r));
        } else {

                if ((r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
                        pam_syslog(handle, LOG_ERR, "Failed to check user cgroup: %s", strerror(-r));

                /* Remove user cgroup */
                if (r > 0) {
                        if ((r = cg_delete(SYSTEMD_CGROUP_CONTROLLER, user_path)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r));

                /* If we managed to find somebody, don't cleanup the cgroup. */
                } else if (r == 0)
                        r = -EBUSY;
        }

        if (r >= 0) {
                const char *runtime_dir;

                if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR")))
                        if ((r = rm_rf(runtime_dir, false, true)) < 0)
                                pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r));
        }

        /* pam_syslog(handle, LOG_DEBUG, "pam-systemd done"); */

        r = PAM_SUCCESS;

finish:
        if (lock_fd >= 0)
                close_nointr_nofail(lock_fd);

        free(session_path);
        free(nosession_path);
        free(user_path);

        return r;
}
Commit	Line	Data
8c6db833 LP	1	/-- Mode: C; c-basic-offset: 8 --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU General Public License as published by
	10	the Free Software Foundation; either version 2 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	General Public License for more details.
	17
	18	You should have received a copy of the GNU General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <fcntl.h>
	24	#include <sys/file.h>
	25	#include <pwd.h>
a838e6a1	26	#include <endian.h>
8c6db833 LP	27
	28	#include <security/pam_modules.h>
	29	#include <security/_pam_macros.h>
	30	#include <security/pam_modutil.h>
	31	#include <security/pam_ext.h>
	32	#include <security/pam_misc.h>
	33
8c6db833 LP	34	#include "util.h"
	35	#include "cgroup-util.h"
	36	#include "macro.h"
	37	#include "sd-daemon.h"
	38
	39	static int parse_argv(pam_handle_t *handle,
	40	int argc, const char **argv,
	41	bool *create_session,
	42	bool *kill_session,
	43	bool *kill_user) {
	44
	45	unsigned i;
	46
	47	assert(argc >= 0);
	48	assert(argc == 0 \|\| argv);
	49
	50	for (i = 0; i < (unsigned) argc; i++) {
	51	int k;
	52
	53	if (startswith(argv[i], "create-session=")) {
	54	if ((k = parse_boolean(argv[i] + 15)) < 0) {
	55	pam_syslog(handle, LOG_ERR, "Failed to parse create-session= argument.");
	56	return k;
	57	}
	58
	59	if (create_session)
	60	*create_session = k;
	61	} else if (startswith(argv[i], "kill-session=")) {
	62	if ((k = parse_boolean(argv[i] + 13)) < 0) {
	63	pam_syslog(handle, LOG_ERR, "Failed to parse kill-session= argument.");
	64	return k;
	65	}
	66
	67	if (kill_session)
	68	*kill_session = k;
	69
	70	} else if (startswith(argv[i], "kill-user=")) {
	71	if ((k = parse_boolean(argv[i] + 10)) < 0) {
	72	pam_syslog(handle, LOG_ERR, "Failed to parse kill-user= argument.");
	73	return k;
	74	}
	75
	76	if (kill_user)
	77	*kill_user = k;
	78	} else {
	79	pam_syslog(handle, LOG_ERR, "Unknown parameter '%s'.", argv[i]);
	80	return -EINVAL;
	81	}
	82	}
	83
	84	if (kill_session && *kill_session && kill_user)
	85	*kill_user = true;
	86
	87	return 0;
	88	}
	89
	90	static int open_file_and_lock(const char *fn) {
	91	int fd;
	92
	93	assert(fn);
	94
	95	if ((fd = open(fn, O_RDWR\|O_CLOEXEC\|O_NOCTTY\|O_NOFOLLOW\|O_CREAT, 0600)) < 0)
	96	return -errno;
	97
2e225d65 LP	98	/* The BSD socket semantics are a lot nicer than those of
	99	* POSIX locks. Which is why we use flock() here. BSD locking
	100	* does not work across NFS which however is not needed here
	101	* as the filesystems in question should be local, and only
	102	* locally accessible, and most likely even tmpfs. */
	103
8c6db833 LP	104	if (flock(fd, LOCK_EX) < 0)
	105	return -errno;
	106
	107	return fd;
	108	}
	109
2e225d65 LP	110	enum {
	111	SESSION_ID_AUDIT = 'a',
	112	SESSION_ID_COUNTER = 'c',
	113	SESSION_ID_RANDOM = 'r'
	114	};
	115
	116	static uint64_t get_session_id(int *mode) {
a838e6a1 LP	117	char *s;
a838e6a1 LP	118	int fd;
8c6db833	119
2e225d65 LP	120	assert(mode);
2e225d65 LP	121
a838e6a1 LP	122	/* First attempt: let's use the session ID of the audit
	123	* system, if it is available. */
	124	if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
	125	uint32_t u;
	126	int r;
8c6db833	127
a838e6a1 LP	128	r = safe_atou32(s, &u);
a838e6a1 LP	129	free(s);
8c6db833	130
2e225d65 LP	131	if (r >= 0 && u != (uint32_t) -1) {
2e225d65 LP	132	*mode = SESSION_ID_AUDIT;
a838e6a1	133	return (uint64_t) u;
2e225d65	134	}
a838e6a1	135	}
8c6db833	136
a838e6a1 LP	137	/* Second attempt, use our own counter. */
	138	if ((fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-session")) >= 0) {
	139	uint64_t counter;
	140	ssize_t r;
8c6db833	141
a838e6a1 LP	142	/* We do a bit of endianess swapping here, just to be
	143	* sure. /var should be machine specific anyway, and
	144	* /var/run even mounted from tmpfs, so this
	145	* byteswapping should really not be necessary. But
	146	* then again, you never know, so let's avoid any
	147	* risk. */
8c6db833	148
a838e6a1 LP	149	if (loop_read(fd, &counter, sizeof(counter), false) != sizeof(counter))
	150	counter = 1;
	151	else
	152	counter = le64toh(counter) + 1;
8c6db833	153
a838e6a1 LP	154	if (lseek(fd, 0, SEEK_SET) == 0) {
	155	uint64_t swapped = htole64(counter);
	156
	157	r = loop_write(fd, &swapped, sizeof(swapped), false);
	158
	159	if (r != sizeof(swapped))
	160	r = -EIO;
	161	} else
	162	r = -errno;
8c6db833	163
a838e6a1 LP	164	close_nointr_nofail(fd);
a838e6a1 LP	165
2e225d65 LP	166	if (r >= 0) {
2e225d65 LP	167	*mode = SESSION_ID_COUNTER;
a838e6a1	168	return counter;
2e225d65	169	}
a838e6a1 LP	170	}
a838e6a1 LP	171
2e225d65 LP	172	*mode = SESSION_ID_RANDOM;
2e225d65 LP	173
a838e6a1 LP	174	/* Last attempt, pick a random value */
	175	return (uint64_t) random_ull();
	176	}
8c6db833 LP	177	static int get_user_data(
	178	pam_handle_t *handle,
	179	const char **ret_username,
	180	struct passwd **ret_pw) {
	181
	182	const char *username;
	183	struct passwd *pw;
	184	int r;
	185
	186	assert(handle);
	187	assert(ret_username);
	188	assert(ret_pw);
	189
	190	if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) {
	191	pam_syslog(handle, LOG_ERR, "Failed to get user name.");
	192	return r;
	193	}
	194
	195	if (!username \|\| !*username) {
	196	pam_syslog(handle, LOG_ERR, "User name not valid.");
	197	return PAM_AUTH_ERR;
	198	}
	199
	200	if (!(pw = pam_modutil_getpwnam(handle, username))) {
	201	pam_syslog(handle, LOG_ERR, "Failed to get user data.");
	202	return PAM_USER_UNKNOWN;
	203	}
	204
	205	*ret_pw = pw;
	206	*ret_username = username;
	207
	208	return PAM_SUCCESS;
	209	}
	210
672c48cc	211	static int create_user_group(pam_handle_t handle, const char group, struct passwd *pw, bool attach, bool remember) {
8c6db833 LP	212	int r;
	213
	214	assert(handle);
	215	assert(group);
	216
	217	if (attach)
c6c18be3	218	r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, group, 0);
8c6db833	219	else
c6c18be3	220	r = cg_create(SYSTEMD_CGROUP_CONTROLLER, group);
8c6db833 LP	221
	222	if (r < 0) {
	223	pam_syslog(handle, LOG_ERR, "Failed to create cgroup: %s", strerror(-r));
	224	return PAM_SESSION_ERR;
	225	}
	226
672c48cc LP	227	if (r > 0 && remember) {
	228	/* Remember that it was us who created this group, and
	229	* that hence we need to remove it too. This is a
	230	* protection against removing the cgroup when run
	231	* recursively. */
	232	if ((r = pam_set_data(handle, "systemd.created", INT_TO_PTR(1), NULL)) != PAM_SUCCESS) {
	233	pam_syslog(handle, LOG_ERR, "Failed to install created variable.");
	234	return r;
	235	}
	236	}
	237
c6c18be3 LP	238	if ((r = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0 \|\|
c6c18be3 LP	239	(r = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, group, 0755, pw->pw_uid, pw->pw_gid)) < 0) {
8c6db833 LP	240	pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r));
	241	return PAM_SESSION_ERR;
	242	}
	243
	244	return PAM_SUCCESS;
	245	}
	246
	247	_public_ PAM_EXTERN int pam_sm_open_session(
	248	pam_handle_t *handle,
	249	int flags,
	250	int argc, const char **argv) {
	251
	252	const char *username = NULL;
	253	struct passwd *pw;
	254	int r;
	255	char *buf = NULL;
	256	int lock_fd = -1;
	257	bool create_session = true;
	258
	259	assert(handle);
	260
672c48cc	261	/* pam_syslog(handle, LOG_DEBUG, "pam-systemd initializing"); */
8c6db833 LP	262
	263	if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0)
	264	return PAM_SESSION_ERR;
	265
	266	/* Make this a NOP on non-systemd systems */
	267	if (sd_booted() <= 0)
	268	return PAM_SUCCESS;
	269
8c6db833 LP	270	if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
	271	goto finish;
	272
	273	if (safe_mkdir(RUNTIME_DIR "/user", 0755, 0, 0) < 0) {
	274	pam_syslog(handle, LOG_ERR, "Failed to create runtime directory: %m");
	275	r = PAM_SYSTEM_ERR;
	276	goto finish;
	277	}
	278
	279	if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
	280	pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
	281	r = PAM_SYSTEM_ERR;
	282	goto finish;
	283	}
	284
	285	/* Create /var/run/$USER */
	286	free(buf);
	287	if (asprintf(&buf, RUNTIME_DIR "/user/%s", username) < 0) {
	288	r = PAM_BUF_ERR;
	289	goto finish;
	290	}
	291
	292	if (safe_mkdir(buf, 0700, pw->pw_uid, pw->pw_gid) < 0) {
	293	pam_syslog(handle, LOG_WARNING, "Failed to create runtime directory: %m");
	294	r = PAM_SYSTEM_ERR;
	295	goto finish;
	296	} else if ((r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", buf, 0)) != PAM_SUCCESS) {
	297	pam_syslog(handle, LOG_ERR, "Failed to set runtime dir.");
	298	goto finish;
	299	}
	300
	301	free(buf);
	302	buf = NULL;
	303
	304	if (create_session) {
a838e6a1	305	const char *id;
8c6db833 LP	306
8c6db833 LP	307	/* Reuse or create XDG session ID */
a838e6a1	308	if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
2e225d65	309	int mode;
a838e6a1	310
2e225d65	311	if (asprintf(&buf, "%llux", (unsigned long long) get_session_id(&mode)) < 0) {
8c6db833 LP	312	r = PAM_BUF_ERR;
	313	goto finish;
	314	}
	315
2e225d65 LP	316	/* To avoid id clashes we add the session id
	317	* source to our session ids. Note that the
	318	* session id source might change during
	319	* runtime, because a filesystem became
	320	* writable or the system reconfigured. */
	321	buf[strlen(buf)-1] =
	322	mode != SESSION_ID_AUDIT ? (char) mode : 0;
	323
a838e6a1 LP	324	if ((r = pam_misc_setenv(handle, "XDG_SESSION_ID", buf, 0)) != PAM_SUCCESS) {
a838e6a1 LP	325	pam_syslog(handle, LOG_ERR, "Failed to set session id.");
8c6db833 LP	326	goto finish;
	327	}
	328
a838e6a1 LP	329	if (!(id = pam_getenv(handle, "XDG_SESSION_ID"))) {
a838e6a1 LP	330	pam_syslog(handle, LOG_ERR, "Failed to get session id.");
8c6db833 LP	331	r = PAM_SESSION_ERR;
	332	goto finish;
	333	}
	334	}
	335
a838e6a1	336	r = asprintf(&buf, "/user/%s/%s", username, id);
8c6db833 LP	337	} else
	338	r = asprintf(&buf, "/user/%s/no-session", username);
	339
	340	if (r < 0) {
	341	r = PAM_BUF_ERR;
	342	goto finish;
	343	}
	344
672c48cc LP	345	pam_syslog(handle, LOG_INFO, "Moving new user session for %s into control group %s.", username, buf);
	346
	347	if ((r = create_user_group(handle, buf, pw, true, true)) != PAM_SUCCESS)
8c6db833 LP	348	goto finish;
	349
	350	r = PAM_SUCCESS;
	351
	352	finish:
	353	free(buf);
	354
	355	if (lock_fd >= 0)
	356	close_nointr_nofail(lock_fd);
	357
	358	return r;
	359	}
	360
	361	static int session_remains(pam_handle_t handle, const char user_path) {
35d2e7ec	362	int r;
8c6db833	363	bool remains = false;
35d2e7ec LP	364	DIR *d;
35d2e7ec LP	365	char *subgroup;
8c6db833	366
35d2e7ec LP	367	if ((r = cg_enumerate_subgroups(SYSTEMD_CGROUP_CONTROLLER, user_path, &d)) < 0)
35d2e7ec LP	368	return r;
8c6db833	369
35d2e7ec	370	while ((r = cg_read_subgroup(d, &subgroup)) > 0) {
8c6db833	371
35d2e7ec LP	372	remains = !streq(subgroup, "no-session");
35d2e7ec LP	373	free(subgroup);
8c6db833	374
35d2e7ec LP	375	if (remains)
35d2e7ec LP	376	break;
8c6db833 LP	377	}
8c6db833 LP	378
35d2e7ec	379	closedir(d);
8c6db833	380
35d2e7ec LP	381	if (r < 0)
35d2e7ec LP	382	return r;
8c6db833	383
35d2e7ec	384	return !!remains;
8c6db833 LP	385	}
	386
	387	_public_ PAM_EXTERN int pam_sm_close_session(
	388	pam_handle_t *handle,
	389	int flags,
	390	int argc, const char **argv) {
	391
	392	const char *username = NULL;
	393	bool kill_session = false;
	394	bool kill_user = false;
	395	int lock_fd = -1, r;
	396	char session_path = NULL, nosession_path = NULL, *user_path = NULL;
a838e6a1	397	const char *id;
8c6db833	398	struct passwd *pw;
672c48cc	399	const void *created = NULL;
8c6db833 LP	400
	401	assert(handle);
	402
	403	if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user) < 0)
	404	return PAM_SESSION_ERR;
	405
	406	/* Make this a NOP on non-systemd systems */
	407	if (sd_booted() <= 0)
	408	return PAM_SUCCESS;
	409
	410	if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
	411	goto finish;
	412
	413	if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) {
	414	pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m");
	415	r = PAM_SYSTEM_ERR;
	416	goto finish;
	417	}
	418
35d2e7ec LP	419	/* We are probably still in some session/no-session dir. Move ourselves out of the way as first step */
	420	if ((r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, "/user", 0)) < 0)
	421	pam_syslog(handle, LOG_ERR, "Failed to move us away: %s", strerror(-r));
	422
8c6db833 LP	423	if (asprintf(&user_path, "/user/%s", username) < 0) {
	424	r = PAM_BUF_ERR;
	425	goto finish;
	426	}
	427
672c48cc LP	428	pam_get_data(handle, "systemd.created", &created);
	429
	430	if ((id = pam_getenv(handle, "XDG_SESSION_ID")) && created) {
8c6db833	431
a838e6a1	432	if (asprintf(&session_path, "/user/%s/%s", username, id) < 0 \|\|
8c6db833 LP	433	asprintf(&nosession_path, "/user/%s/no-session", username) < 0) {
	434	r = PAM_BUF_ERR;
	435	goto finish;
	436	}
	437
	438	if (kill_session) {
672c48cc LP	439	pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
672c48cc LP	440
35d2e7ec LP	441	/* Kill processes in session cgroup, and delete it */
35d2e7ec LP	442	if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, session_path, true)) < 0)
8c6db833	443	pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r));
35d2e7ec	444	} else {
672c48cc LP	445	pam_syslog(handle, LOG_INFO, "Moving remaining processes of user session %s of %s into control group %s.", id, username, nosession_path);
672c48cc LP	446
8c6db833 LP	447	/* Migrate processes from session to
	448	* no-session cgroup. First, try to create the
	449	* no-session group in case it doesn't exist
35d2e7ec	450	* yet. Also, delete the session group. */
672c48cc	451	create_user_group(handle, nosession_path, pw, false, false);
8c6db833	452
35d2e7ec	453	if ((r = cg_migrate_recursive(SYSTEMD_CGROUP_CONTROLLER, session_path, nosession_path, false, true)) < 0)
8c6db833 LP	454	pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r));
8c6db833 LP	455	}
8c6db833 LP	456	}
	457
	458	/* GC user tree */
c6c18be3	459	cg_trim(SYSTEMD_CGROUP_CONTROLLER, user_path, false);
8c6db833 LP	460
	461	if ((r = session_remains(handle, user_path)) < 0)
	462	pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
	463
	464	/* Kill user processes not attached to any session */
	465	if (kill_user && r == 0) {
	466
	467	/* Kill no-session cgroup */
35d2e7ec	468	if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
8c6db833 LP	469	pam_syslog(handle, LOG_ERR, "Failed to kill user cgroup: %s", strerror(-r));
	470	} else {
	471
c6c18be3	472	if ((r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
8c6db833 LP	473	pam_syslog(handle, LOG_ERR, "Failed to check user cgroup: %s", strerror(-r));
8c6db833 LP	474
35d2e7ec LP	475	/* Remove user cgroup */
	476	if (r > 0) {
	477	if ((r = cg_delete(SYSTEMD_CGROUP_CONTROLLER, user_path)) < 0)
	478	pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r));
	479
	480	/* If we managed to find somebody, don't cleanup the cgroup. */
	481	} else if (r == 0)
8c6db833 LP	482	r = -EBUSY;
	483	}
	484
	485	if (r >= 0) {
	486	const char *runtime_dir;
	487
8c6db833 LP	488	if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR")))
	489	if ((r = rm_rf(runtime_dir, false, true)) < 0)
	490	pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r));
	491	}
	492
672c48cc LP	493	/* pam_syslog(handle, LOG_DEBUG, "pam-systemd done"); */
672c48cc LP	494
8c6db833 LP	495	r = PAM_SUCCESS;
	496
	497	finish:
	498	if (lock_fd >= 0)
	499	close_nointr_nofail(lock_fd);
	500
	501	free(session_path);
	502	free(nosession_path);
	503	free(user_path);
	504
	505	return r;
	506	}