[systemd-bugs] [Bug 65409] New: logind sessions don't follow nested audit sessions

Wed Jun 5 03:37:21 PDT 2013

https://bugs.freedesktop.org/show_bug.cgi?id=65409

          Priority: medium
            Bug ID: 65409
          Assignee: systemd-bugs at lists.freedesktop.org
           Summary: logind sessions don't follow nested audit sessions
        QA Contact: systemd-bugs at lists.freedesktop.org
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: marius.vollmer at redhat.com
          Hardware: Other
            Status: NEW
           Version: unspecified
         Component: general
           Product: systemd

My understanding is that XDG_SESSION_ID and /proc/self/sessionid should be the
same, if possible.  This isn't true when a new audit session is started with
pam_loginuid from within an already existing logind session.

To reproduce, run sshd explicitly from a session and then connect to it:

  $ ssh root at f18
  # cat /proc/self/sessionid; echo
  4
  # echo $XDG_SESSION_ID
  4
  # firewall-cmd --add-port 2222/tcp      (if needed)
  # /sbin/sshd -D -p 2222

Then from somewhere else:

  $ ssh -p 2222 root at f18
  # cat /proc/self/sessionid; echo
  5                                       (as expected)
  # echo $XDG_SESSION_ID
  4

Logging in via ssh on port 2222 has created a new audit session, as expected,
but systemd-logind doesn't create a new session for it since sshd is already
part of a session.

I think this should be made consistent, by having systemd-logind only reuse
existing sessions when they match /proc/self/sessionid.


Here is a hackish patch that implements this idea:

diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index aa212d1..3632555 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -307,6 +307,13 @@ static int bus_manager_append_preparing(DBusMessageIter
*i, const char *property
         return 0;
 }

+static int session_has_id (Session *session, uint32_t id)
+{
+        char *end;
+        uint32_t sid = strtoul (session->id, &end, 10);
+        return sid == id && *end == '\0';
+}
+
 static int bus_manager_create_session(Manager *m, DBusMessage *message,
DBusMessage **_reply) {
         const char *type, *class, *cseat, *tty, *display, *remote_user,
*remote_host, *service;
         uint32_t uid, leader, audit_id = 0;
@@ -493,7 +500,10 @@ static int bus_manager_create_session(Manager *m,
DBusMessage *message, DBusMess
         if (r < 0)
                 goto fail;

-        if (session) {
+        audit_session_from_pid(leader, &audit_id);
+
+        if (session &&
+            (audit_id == 0 || session_has_id (session, audit_id))) {
                 fifo_fd = session_create_fifo(session);
                 if (fifo_fd < 0) {
                         r = fifo_fd;
@@ -541,7 +551,6 @@ static int bus_manager_create_session(Manager *m,
DBusMessage *message, DBusMess
                 return 0;
         }

-        audit_session_from_pid(leader, &audit_id);
         if (audit_id > 0) {
                 /* Keep our session IDs and the audit session IDs in sync */

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20130605/4cd15002/attachment.html>
