colin/greetd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use additional pam service config for greeter

Browse Source 
Check the existence and attempt to use `greetd-greeter` pam service file
for greeter sessions. The fallback is a standard greetd pam service,
i.e. `greetd` or `login`.

Rationale: proper configurations for different session types can vary in
acceptable modules. Certain modules like `pam_selinux` are actually
harmful for an unprivileged greeter session as it removes the SELinux
security label from the greeter processes.
This commit is contained in:
Aleksei Bavshin
2020-09-20 17:24:57 -07:00
committed by Kenny Levinsen
parent 0d8812c80b
commit 4c2a2e89d4
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
greetd/src/context.rs
View File

@@ -37,6 +37,7 @@ pub struct Context {
inner: RwLock<ContextInner>, inner: RwLock<ContextInner>,
greeter_bin: String, greeter_bin: String,
greeter_user: String, greeter_user: String,
greeter_service: String,
pam_service: String, pam_service: String,
term_mode: TerminalMode, term_mode: TerminalMode,
} }
@@ -45,6 +46,7 @@ impl Context {
pub fn new( pub fn new(
greeter_bin: String, greeter_bin: String,
greeter_user: String, greeter_user: String,
greeter_service: String,
pam_service: String, pam_service: String,
term_mode: TerminalMode, term_mode: TerminalMode,
) -> Context { ) -> Context {
@@ -56,6 +58,7 @@ impl Context {
}), }),
greeter_bin, greeter_bin,
greeter_user, greeter_user,
greeter_service,
pam_service, pam_service,
term_mode, term_mode,
} }
@@ -68,11 +71,12 @@ impl Context {
&self, &self,
class: &str, class: &str,
user: &str, user: &str,
service: &str,
cmd: Vec<String>, cmd: Vec<String>,
) -> Result<SessionChild, Error> { ) -> Result<SessionChild, Error> {
let mut scheduled_session = Session::new_external()?; let mut scheduled_session = Session::new_external()?;
scheduled_session scheduled_session
.initiate(&self.pam_service, class, user, false, &self.term_mode) .initiate(&service, class, user, false, &self.term_mode)
.await?; .await?;
loop { loop {
match scheduled_session.get_state().await { match scheduled_session.get_state().await {
@@ -93,6 +97,7 @@ impl Context {
self.start_unauthenticated_session( self.start_unauthenticated_session(
"greeter", "greeter",
&self.greeter_user, &self.greeter_user,
&self.greeter_service,
vec![self.greeter_bin.to_string()], vec![self.greeter_bin.to_string()],
) )
.await .await
@@ -128,7 +133,7 @@ impl Context {
let mut inner = self.inner.write().await; let mut inner = self.inner.write().await;
inner.current = Some(SessionChildSet { inner.current = Some(SessionChildSet {
child: self child: self
.start_unauthenticated_session("user", user, cmd) .start_unauthenticated_session("user", user, &self.pam_service, cmd)
.await?, .await?,
time: Instant::now(), time: Instant::now(),
is_greeter: false, is_greeter: false,

7
greetd/src/server.rs
View File

@@ -197,6 +197,12 @@ pub async fn main(config: Config) -> Result<(), Error> {
return Err("PAM 'greetd' service missing".into()); return Err("PAM 'greetd' service missing".into());
}; };
let greeter_service = if Path::new("/etc/pam.d/greetd-greeter").exists() {
"greetd-greeter"
} else {
service
};
let u = users::get_user_by_name(&config.file.default_session.user).ok_or(format!( let u = users::get_user_by_name(&config.file.default_session.user).ok_or(format!(
"configured default session user '{}' not found", "configured default session user '{}' not found",
&config.file.default_session.user &config.file.default_session.user
@@ -212,6 +218,7 @@ pub async fn main(config: Config) -> Result<(), Error> {
let ctx = Rc::new(Context::new( let ctx = Rc::new(Context::new(
config.file.default_session.command, config.file.default_session.command,
config.file.default_session.user, config.file.default_session.user,
greeter_service.to_string(),
service.to_string(), service.to_string(),
term_mode.clone(), term_mode.clone(),
)); ));