[systemd-devel] pam: Don't use loginuid [was: Re: Fix PAM module to not clobber XDG_RUNTIME_DIR with su]

Tue Nov 19 10:13:17 PST 2013

On Tue, 2013-11-19 at 18:15 +0100, Martin Pitt wrote:

> For the record, I much prefer something like this to my original patch
> which simply unsets it. I just shied away from that as Lennart
> repeatedly said on the RHBZ bug that he doesn't want su behave that
> way. 

This is a complex discussion because there are many different cases.  As
I mentioned before, I care primarily about the login as non-root, run
pkexec to get a root shell case.  And only a shell - no $DISPLAY, no
pulseaudio.

What Lennart was more referring to in the RHBZ was the people asking for
more than that out of "su", like $DISPLAY proxying.  But from the
PolicyKit side, we're trying hard to move people away from that.

Then there's the case of going root -> non-root.  The below patch
doesn't affect that.

And these can all be combined, e.g. you can go non-root -> root ->
different non-root.  That's actually not that crazy; login as your user,
become root, then "sudo -u mysql" to admin the database.

> I disagree, but his word counts more than mine in this situation,
> so I at least want to stop sessions using the wrong runtime dir.

Right.

> If logind would actually give you the session data for the uid you
> call it for, instead of only looking at the seat/logind session data,
> that would indeed be more useful/correct in my opinion. Doing 
> "~user$ su - otheruser" or "ssh otheruser at localhost" should effectively behave
> the same, but right now logind gives you the session info for ~user in
> the first, and for ~otheruser in the second case.

The tricky thing is it's not just about the data - it's the *lifecycle*
of that data.  If we hand out an XDG_RUNTIME_DIR, we need to ensure it
isn't garbage collected by logind.

This new patch is a laser-targeted fix for what I consider the #1 most
important case of non-root gdm -> pkexec/sudo.  We solve the lifecycle
issue for /run/user/0 in a simple way - it just always exists now via
tmpfiles.d.  Something else in systemd is creating that currently
anyways.

Solving some of the other cases would be tricky; we'd have to make them
be at least partial sessions to ensure that the XDG_RUNTIME_DIR for
their uid stays around.

We could do this on the systemd side with explicit "child" sessions or
so, but that's a high degree of complexity that I'm not sure is
warranted right now.  Perhaps the real fix would just be for a special
kernel automount type setup that where a process of uid N
reads /run/userdir it is a symlink to /run/user/N which is automatically
mounted as a tmpfs.

Anyways, new tested patch attached.  Lennart, any objections?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-login-Use-correct-XDG_RUNTIME_DIR-for-uid-0-with-pke.patch
Type: text/x-patch
Size: 4927 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20131119/63c39644/attachment-0001.bin>