[systemd-devel] pam: Don't use loginuid [was: Re: Fix PAM module to not clobber XDG_RUNTIME_DIR with su]

Colin Walters walters at verbum.org
Wed Nov 20 16:32:38 PST 2013


On Thu, 2013-11-21 at 01:20 +0100, Michael Biebl wrote:
> 2013/11/18 Michael Stapelberg <stapelberg at debian.org>:
> > This is a rather pressing issue for us (it breaks GDM logins in some
> > cases), and we’d like to fix it by cherry-picking a patch that was
> > merged upstream.
> 
> "some cases" is very vague.

See:
https://bugzilla.redhat.com/show_bug.cgi?id=753882#c43

Now as Lennart is arguing here, running gedit as root is crack.  But
the problem is greatly exacerbated by systemd leaving XDG_RUNTIME_DIR as
the user, which causes the root-owned process to write to it,
leaving directories owned by root whch can't be deleted by the user.

But if say you happen to be logged in via ssh or a getty as well,
that broken dconf directory will persist until you log out everywhere,
and it will break logging in via gdm.

This can happen with just pure "pkexec" and a *non-X11* application
which wants to save transient per-uid state.







More information about the systemd-devel mailing list