[systemd-devel] Running pam-enabled /bin/login sessions in unprivileged terminal emulators
nerdopolis
bluescreen_avenger at verizon.net
Fri May 28 02:25:41 UTC 2021
On Thursday, May 27, 2021 11:33:35 AM EDT Lennart Poettering wrote:
> On Sa, 22.05.21 13:50, Pekka Paalanen (ppaalanen at gmail.com) wrote:
>
> > All in all, this stack would replace the usual stack where
> > /bin/login runs directly on the TTY of a VT, allowing to use a more
> > featureful terminal, custom display modes, multi-output support,
> > maybe multiple parallel sessions for different users a la fast user
> > switching, and more.
>
> When you say /bin/login do actually intend to say "getty"? what is
> /bin/login good for here? it's a stub that expects you already give it
> a user and it then only asks for a pw. It's the second part of a getty
> pretty much.
>
> We have multiple services that you can instantiate on ttys, for
> example getty at .service (for true VTs), serial-getty at .service (for
> serial ports), container-getty.service (for /dev/console),
> container-getty at .service (for gettys on pseudo TTYs, pretty much).
>
> It appears to me that the right approach for your case is to do what
> container-getty at .service effectively does and instantiate an
> appropriate instance of a template service modelled after it for the
> "other" side of the pty your terminal app allocates.
>
> Instantiating <yourapp>-getty at .service requires privs, but you can use
> polkit to grant that to your terminal app's user. THe polkit auth
> request carries the unit name as additional metadata, hence that
> should be pretty easily done with some minimal polkit JS.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
>
I guess I meant to say getty, but getty ends up calling /bin/login anyway after
resetting the terminal and reading /etc/issue anyway. Or at least I thought.
Interesting I found some simple enough looking samples for granting users the
ability to start one service. Dang, it might not work with Debian's
fraken-polkit-0.105 they still have.
I am able to tweak up a test copy of container-getty at .service,
setting TERM to xterm-256color and doing the XDG_SEAT=seat-vtty workaround so
the logged in session has PAM too, and nmtui doesn't do this
https://i.imgur.com/dt7xAMz.png
so that works.
Something like that is what I was originally looking for, so thanks!
but I will admit, one thing I've come to like about the socat client/server
hing is that if say cage or vte takes a segfault during say an apt-get install,
the running command doesn't die...
More information about the systemd-devel
mailing list