[systemd-devel] pam: Don't use loginuid [was: Re: Fix PAM module to not clobber XDG_RUNTIME_DIR with su]

Colin Guthrie gmane at colin.guthr.ie
Tue Nov 26 06:39:49 PST 2013 

'Twas brillig, and Dr. Werner Fink at 26/11/13 14:21 did gyre and gimble:
> On Tue, Nov 26, 2013 at 10:41:36AM +0000, Colin Guthrie wrote:
>> 'Twas brillig, and Martin Pitt at 26/11/13 06:19 did gyre and gimble:
>>> Hey Lennart,
>>>
>>> Lennart Poettering [2013-11-26  5:12 +0100]:
>>>> I implemented this now, using a different approach than Martin's
>>>> original patch (i.e. I don't think it is a good idea to involve stat()
>>>> here, instead let's just let logind pass all information to
>>>> pam_systemd).
>>>
>>> Thanks!
>>
>> Indeed, thanks for this!
>>
>> If anyone backports this fix to v208 (i.e. pre sd-bus) please share it
>> here. I'll likely do it just to have the "upstream-blessed" fix, but
>> doubt I'll get around it it until later in the week.
> 
> I've backported it.

Can you link to it or attach it please?

> But during tests I've found that it does not help
> if the environment variable XDG_RUNTIME_DIR already exists before doing
> su.  It will not unset but exported.

That's expected.

su does not do any env cleaning, su - does, sudo does, pkexec does.

su's behaviour is to always not touch stuff and thus this is known and
expected and has always been a problem.

Longer term we need to solve this more holistically (hence why I've
tried to get information about "how things should be done" in the future
to start helping lay the ground work for thise bits), but this is still
the best fix we have just now.

For the specific case of su'ing to root, (which is the most common and
potentially problematic one), I will probably use Colin W's most recent
patch to have a static root runtime dir and for logind to set it. This
should fix XDG_RUNTIME_DIR when su'ing to root. I'm not so worried about
su'ing to other users (the damage that can be done is much more
limited), but longer term we do need to address that nicely too IMO
(which will likely need changes in su itself and a number of other places)

Col


-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

More information about the systemd-devel mailing list