From 4c2a2e89d444d8bdcedf6c8b017e4e4310289e2b Mon Sep 17 00:00:00 2001
From: Aleksei Bavshin <alebastr89@gmail.com>
Date: Sun, 20 Sep 2020 17:24:57 -0700
Subject: [PATCH] Use additional pam service config for greeter

Check the existence and attempt to use `greetd-greeter` pam service file
for greeter sessions. The fallback is a standard greetd pam service,
i.e. `greetd` or `login`.

Rationale: proper configurations for different session types can vary in
acceptable modules. Certain modules like `pam_selinux` are actually
harmful for an unprivileged greeter session as it removes the SELinux
security label from the greeter processes.
---
 greetd/src/context.rs | 9 +++++++--
 greetd/src/server.rs  | 7 +++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/greetd/src/context.rs b/greetd/src/context.rs
index 0299ea8..42067dc 100644
--- a/greetd/src/context.rs
+++ b/greetd/src/context.rs
@@ -37,6 +37,7 @@ pub struct Context {
     inner: RwLock<ContextInner>,
     greeter_bin: String,
     greeter_user: String,
+    greeter_service: String,
     pam_service: String,
     term_mode: TerminalMode,
 }
@@ -45,6 +46,7 @@ impl Context {
     pub fn new(
         greeter_bin: String,
         greeter_user: String,
+        greeter_service: String,
         pam_service: String,
         term_mode: TerminalMode,
     ) -> Context {
@@ -56,6 +58,7 @@ impl Context {
             }),
             greeter_bin,
             greeter_user,
+            greeter_service,
             pam_service,
             term_mode,
         }
@@ -68,11 +71,12 @@ impl Context {
         &self,
         class: &str,
         user: &str,
+        service: &str,
         cmd: Vec<String>,
     ) -> Result<SessionChild, Error> {
         let mut scheduled_session = Session::new_external()?;
         scheduled_session
-            .initiate(&self.pam_service, class, user, false, &self.term_mode)
+            .initiate(&service, class, user, false, &self.term_mode)
             .await?;
         loop {
             match scheduled_session.get_state().await {
@@ -93,6 +97,7 @@ impl Context {
         self.start_unauthenticated_session(
             "greeter",
             &self.greeter_user,
+            &self.greeter_service,
             vec![self.greeter_bin.to_string()],
         )
         .await
@@ -128,7 +133,7 @@ impl Context {
         let mut inner = self.inner.write().await;
         inner.current = Some(SessionChildSet {
             child: self
-                .start_unauthenticated_session("user", user, cmd)
+                .start_unauthenticated_session("user", user, &self.pam_service, cmd)
                 .await?,
             time: Instant::now(),
             is_greeter: false,
diff --git a/greetd/src/server.rs b/greetd/src/server.rs
index e734eea..45e9a0d 100644
--- a/greetd/src/server.rs
+++ b/greetd/src/server.rs
@@ -197,6 +197,12 @@ pub async fn main(config: Config) -> Result<(), Error> {
         return Err("PAM 'greetd' service missing".into());
     };
 
+    let greeter_service = if Path::new("/etc/pam.d/greetd-greeter").exists() {
+        "greetd-greeter"
+    } else {
+        service
+    };
+
     let u = users::get_user_by_name(&config.file.default_session.user).ok_or(format!(
         "configured default session user '{}' not found",
         &config.file.default_session.user
@@ -212,6 +218,7 @@ pub async fn main(config: Config) -> Result<(), Error> {
     let ctx = Rc::new(Context::new(
         config.file.default_session.command,
         config.file.default_session.user,
+        greeter_service.to_string(),
         service.to_string(),
         term_mode.clone(),
     ));