<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW --- - logind sessions don't follow nested audit sessions" href="https://bugs.freedesktop.org/show_bug.cgi?id=65409">65409</a> </td> </tr> <tr> <th>Assignee</th> <td>systemd-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Summary</th> <td>logind sessions don't follow nested audit sessions </td> </tr> <tr> <th>QA Contact</th> <td>systemd-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Classification</th> <td>Unclassified </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Reporter</th> <td>marius.vollmer@redhat.com </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Component</th> <td>general </td> </tr> <tr> <th>Product</th> <td>systemd </td> </tr></table> <p> <div> <pre>My understanding is that XDG_SESSION_ID and /proc/self/sessionid should be the same, if possible. This isn't true when a new audit session is started with pam_loginuid from within an already existing logind session. To reproduce, run sshd explicitly from a session and then connect to it: $ ssh root@f18 # cat /proc/self/sessionid; echo 4 # echo $XDG_SESSION_ID 4 # firewall-cmd --add-port 2222/tcp (if needed) # /sbin/sshd -D -p 2222 Then from somewhere else: $ ssh -p 2222 root@f18 # cat /proc/self/sessionid; echo 5 (as expected) # echo $XDG_SESSION_ID 4 Logging in via ssh on port 2222 has created a new audit session, as expected, but systemd-logind doesn't create a new session for it since sshd is already part of a session. I think this should be made consistent, by having systemd-logind only reuse existing sessions when they match /proc/self/sessionid. Here is a hackish patch that implements this idea: diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index aa212d1..3632555 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -307,6 +307,13 @@ static int bus_manager_append_preparing(DBusMessageIter *i, const char *property return 0; } +static int session_has_id (Session *session, uint32_t id) +{ + char *end; + uint32_t sid = strtoul (session->id, &end, 10); + return sid == id && *end == '\0'; +} + static int bus_manager_create_session(Manager *m, DBusMessage *message, DBusMessage **_reply) { const char *type, *class, *cseat, *tty, *display, *remote_user, *remote_host, *service; uint32_t uid, leader, audit_id = 0; @@ -493,7 +500,10 @@ static int bus_manager_create_session(Manager *m, DBusMessage *message, DBusMess if (r < 0) goto fail; - if (session) { + audit_session_from_pid(leader, &audit_id); + + if (session && + (audit_id == 0 || session_has_id (session, audit_id))) { fifo_fd = session_create_fifo(session); if (fifo_fd < 0) { r = fifo_fd; @@ -541,7 +551,6 @@ static int bus_manager_create_session(Manager *m, DBusMessage *message, DBusMess return 0; } - audit_session_from_pid(leader, &audit_id); if (audit_id > 0) { /* Keep our session IDs and the audit session IDs in sync */</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the QA Contact for the bug.</li> <li>You are the assignee for the bug.</li> </ul> </body> </html>