[systemd-devel] pam: Don't use loginuid [was: Re: Fix PAM module to not clobber XDG_RUNTIME_DIR with su]
Colin Walters
walters at verbum.org
Tue Nov 19 10:13:17 PST 2013
On Tue, 2013-11-19 at 18:15 +0100, Martin Pitt wrote:
> For the record, I much prefer something like this to my original patch
> which simply unsets it. I just shied away from that as Lennart
> repeatedly said on the RHBZ bug that he doesn't want su behave that
> way.
This is a complex discussion because there are many different cases. As
I mentioned before, I care primarily about the login as non-root, run
pkexec to get a root shell case. And only a shell - no $DISPLAY, no
pulseaudio.
What Lennart was more referring to in the RHBZ was the people asking for
more than that out of "su", like $DISPLAY proxying. But from the
PolicyKit side, we're trying hard to move people away from that.
Then there's the case of going root -> non-root. The below patch
doesn't affect that.
And these can all be combined, e.g. you can go non-root -> root ->
different non-root. That's actually not that crazy; login as your user,
become root, then "sudo -u mysql" to admin the database.
> I disagree, but his word counts more than mine in this situation,
> so I at least want to stop sessions using the wrong runtime dir.
Right.
> If logind would actually give you the session data for the uid you
> call it for, instead of only looking at the seat/logind session data,
> that would indeed be more useful/correct in my opinion. Doing
> "~user$ su - otheruser" or "ssh otheruser at localhost" should effectively behave
> the same, but right now logind gives you the session info for ~user in
> the first, and for ~otheruser in the second case.
The tricky thing is it's not just about the data - it's the *lifecycle*
of that data. If we hand out an XDG_RUNTIME_DIR, we need to ensure it
isn't garbage collected by logind.
This new patch is a laser-targeted fix for what I consider the #1 most
important case of non-root gdm -> pkexec/sudo. We solve the lifecycle
issue for /run/user/0 in a simple way - it just always exists now via
tmpfiles.d. Something else in systemd is creating that currently
anyways.
Solving some of the other cases would be tricky; we'd have to make them
be at least partial sessions to ensure that the XDG_RUNTIME_DIR for
their uid stays around.
We could do this on the systemd side with explicit "child" sessions or
so, but that's a high degree of complexity that I'm not sure is
warranted right now. Perhaps the real fix would just be for a special
kernel automount type setup that where a process of uid N
reads /run/userdir it is a symlink to /run/user/N which is automatically
mounted as a tmpfs.
Anyways, new tested patch attached. Lennart, any objections?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-login-Use-correct-XDG_RUNTIME_DIR-for-uid-0-with-pke.patch
Type: text/x-patch
Size: 4927 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131119/63c39644/attachment-0001.bin>
More information about the systemd-devel
mailing list