Features:
-* introduce a new system credential "shell.prompt.extra" or so that may contain
- a string to include in $PS1. Inherit it down into gettys/logins and suchlike.
- And provide an /etc/profile.d/*.sh drop-in which reads the credential if set,
- and suffixes $PS1. Usecase: for wsl-like environments use this to include
- additional information in prompts that is inherited from the execution
- context. For example include 📦 emoji via this mechanism in the prompt. Or,
- in run0 include a ☢️ emoji in the prompt. Or in mkosi include a 👷 emoji in
- the prompt. You get the idea.
+* maybe set shell.prompt.prefix credential in run0 to some warning emoji,
+ i.e. ⚠️ or ☢️ or ⚡ or 👊 or 🧑🔧 or so.
* introduce new structure Tpm2CombinedPolicy, that combines the various TPm2
policy bits into one structure, i.e. public key info, pcr masks, pcrlock
<xi:include href="version-info.xml" xpointer="v245"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>$SHELL_PROMPT_PREFIX</varname></term>
+ <term><varname>$SHELL_PROMPT_SUFFIX</varname></term>
+ <term><varname>$SHELL_WELCOME</varname></term>
+
+ <listitem><para>These environment variables are initialized from the service credentials
+ <literal>shell.prompt.prefix</literal>, <literal>shell.prompt.suffix</literal> and
+ <literal>shell.welcome</literal> if set. They are passed to the invoked session processes, where they
+ are imported into any shell prompt (specifically <varname>$SHELL_PROMPT_PREFIX</varname> is added as
+ prefix to <varname>$PS1</varname>, and <varname>$SHELL_PROMPT_SUFFIX</varname> as suffix) or printed
+ on screen when a shell first initializes.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+ </varlistentry>
+
</variablelist>
<para>The following environment variables are read by the module and may be used by the PAM service to pass
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>shell.prompt.prefix</varname></term>
+ <term><varname>shell.prompt.suffix</varname></term>
+ <listitem>
+ <para>Defines strings to prefix and suffix any interactive UNIX shell prompt with. For details see
+ <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>shell.welcome</varname></term>
+ <listitem>
+ <para>Define a string to print when an interactive UNIX shell initializes. For details see
+ <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>system.machine_id</varname></term>
<listitem>
configfiledir = get_option('configfiledir')
if configfiledir == ''
- configfiledir= sysconfdir
+ configfiledir = sysconfdir
endif
pkgconfigfiledir = configfiledir / 'systemd'
libcryptsetup_plugins_dir = libdir / 'cryptsetup'
endif
+shellprofiledir = get_option('shellprofiledir')
+if shellprofiledir == ''
+ shellprofiledir = sysconfdir / 'profile.d'
+endif
+conf.set10('LINK_SHELL_EXTRA_DROPIN', shellprofiledir != 'no' and not shellprofiledir.startswith('/usr/'))
+conf.set('SHELLPROFILEDIR', shellprofiledir, description : 'shell profile directory')
+
memory_accounting_default = get_option('memory-accounting-default')
status_unit_format_default = get_option('status-unit-format-default')
if status_unit_format_default == 'auto'
conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local'))
conf.set_quoted('SSHCONFDIR', sshconfdir)
conf.set_quoted('SSHDCONFDIR', sshdconfdir)
+conf.set_quoted('SHELLPROFILEDIR', shellprofiledir)
conf.set_quoted('SYSCONF_DIR', sysconfdir)
conf.set_quoted('SYSCTL_DIR', sysctldir)
conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl')
subdir('modprobe.d')
subdir('network')
subdir('presets')
+subdir('profile.d')
subdir('shell-completion/bash')
subdir('shell-completion/zsh')
subdir('sysctl.d')
'ssh server privilege separation directory' : sshdprivsepdir,
'ssh client configuration directory' : sshconfdir,
'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
+ 'Shell profile directory' : shellprofiledir,
'RPM macros directory' : rpmmacrosdir,
'modprobe.d directory' : modprobedir,
'D-Bus policy directory' : dbuspolicydir,
description : 'directory for SSH privilege separation ["no" disables]', value : '/run/sshd')
option('libcryptsetup-plugins-dir', type : 'string',
description : 'directory for libcryptsetup plugins')
+option('shellprofiledir', type : 'string',
+ description : 'directory for Shell profile drop-ins ["no" disables]')
option('docdir', type : 'string',
description : 'documentation directory')
option('install-sysconfdir', type : 'combo', choices : ['true', 'no-samples', 'false'], value : 'true',
--- /dev/null
+# shellcheck shell=sh
+
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# Import the additional shell prompt prefix and suffix strings into $PS1, and
+# show the shell welcome string. These can be provisioned as system or service
+# credentials shell.prompt.prefix, shell.prompt.suffix and shell.welcome, and
+# are propagated into these environment variables by pam_systemd(8).
+
+if [ -n "$SHELL_PROMPT_PREFIX" ]; then
+ PS1="$SHELL_PROMPT_PREFIX$PS1"
+fi
+
+if [ -n "$SHELL_PROMPT_SUFFIX" ]; then
+ PS1="$PS1$SHELL_PROMPT_SUFFIX"
+fi
+
+if [ -n "$SHELL_WELCOME" ]; then
+ printf '%b\n' "$SHELL_WELCOME"
+fi
--- /dev/null
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+install_data('70-systemd-shell-extra.sh', install_dir : shellprofiledir.startswith('/usr/') ? shellprofiledir : libexecdir / 'profile.d')
+
+if conf.get('LINK_SHELL_EXTRA_DROPIN') == 1
+ install_emptydir(shellprofiledir)
+
+ meson.add_install_script(sh, '-c',
+ ln_s.format(libexecdir / 'profile.d' / '70-systemd-shell-extra.sh', shellprofiledir / '70-systemd-shell-extra.sh'))
+endif
#include "cap-list.h"
#include "capability-util.h"
#include "cgroup-setup.h"
+#include "creds-util.h"
#include "devnum-util.h"
#include "errno-util.h"
#include "fd-util.h"
return PAM_SUCCESS;
}
+static int propagate_credential_to_environment(pam_handle_t *handle, const char *credential, const char *varname) {
+ int r;
+
+ assert(handle);
+ assert(credential);
+ assert(varname);
+
+ _cleanup_free_ char *value = NULL;
+
+ /* Read a service credential, and propagate it into an environment variable */
+
+ r = read_credential(credential, (void**) &value, /* ret_size= */ NULL);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to read credential '%s', ignoring: %m", credential);
+ return PAM_SUCCESS;
+ }
+
+ r = pam_misc_setenv(handle, varname, value, 0);
+ if (r != PAM_SUCCESS)
+ return pam_syslog_pam_error(handle, LOG_ERR, r,
+ "Failed to set environment variable %s: @PAMERR@", varname);
+
+ return PAM_SUCCESS;
+}
+
static bool validate_runtime_directory(pam_handle_t *handle, const char *path, uid_t uid) {
struct stat st;
if (r != PAM_SUCCESS)
return r;
+ static const char *const propagate[] = {
+ "shell.prompt.prefix", "SHELL_PROMPT_PREFIX",
+ "shell.prompt.suffix", "SHELL_PROMPT_SUFFIX",
+ "shell.welcome", "SHELL_WELCOME",
+ NULL
+ };
+
+ STRV_FOREACH_PAIR(k, v, propagate) {
+ r = propagate_credential_to_environment(handle, *k, *v);
+ if (r != PAM_SUCCESS)
+ return r;
+ }
+
if (vtnr > 0) {
char buf[DECIMAL_STR_MAX(vtnr)];
sprintf(buf, "%u", vtnr);
--- /dev/null
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+{% if LINK_SHELL_EXTRA_DROPIN %}
+L {{SHELLPROFILEDIR}}/70-systemd-shell-extra.sh - - - - {{LIBEXECDIR}}/profile.d/70-systemd-shell-extra.sh
+{% endif %}
['var.conf', ''],
['20-systemd-userdb.conf', 'ENABLE_SSH_USERDB_CONFIG'],
['20-systemd-ssh-generator.conf', 'ENABLE_SSH_PROXY_CONFIG'],
+ ['20-systemd-shell-extra.conf', 'LINK_SHELL_EXTRA_DROPIN'],
]
foreach pair : in_files
ImportCredential=tty.console.login.*:login.
ImportCredential=agetty.*
ImportCredential=login.*
+ImportCredential=shell.*
[Install]
WantedBy=getty.target
ImportCredential=tty.container.%I.login.*:login.
ImportCredential=agetty.*
ImportCredential=login.*
+ImportCredential=shell.*
ImportCredential=tty.virtual.%I.login.*:login.
ImportCredential=agetty.*
ImportCredential=login.*
+ImportCredential=shell.*
# Unset locale for the console getty since the console has problems
# displaying some internationalized messages.
ImportCredential=tty.serial.%I.login.*:login.
ImportCredential=agetty.*
ImportCredential=login.*
+ImportCredential=shell.*
[Install]
WantedBy=getty.target
projects / thirdparty / systemd.git / commitdiff
