Use additional pam service config for greeter

Check the existence and attempt to use `greetd-greeter` pam service file for greeter sessions. The fallback is a standard greetd pam service, i.e. `greetd` or `login`. Rationale: proper configurations for different session types can vary in acceptable modules. Certain modules like `pam_selinux` are actually harmful for an unprivileged greeter session as it removes the SELinux security label from the greeter processes.
2020-09-20 17:24:57 -07:00
parent 0d8812c80b
commit 4c2a2e89d4
2 changed files with 14 additions and 2 deletions
--- a/greetd/src/context.rs
+++ b/greetd/src/context.rs
@@ -37,6 +37,7 @@ pub struct Context {
    inner: RwLock<ContextInner>,
    greeter_bin: String,
    greeter_user: String,
+    greeter_service: String,
    pam_service: String,
    term_mode: TerminalMode,
 }
@@ -45,6 +46,7 @@ impl Context {
    pub fn new(
        greeter_bin: String,
        greeter_user: String,
+        greeter_service: String,
        pam_service: String,
        term_mode: TerminalMode,
    ) -> Context {
@@ -56,6 +58,7 @@ impl Context {
            }),
            greeter_bin,
            greeter_user,
+            greeter_service,
            pam_service,
            term_mode,
        }
@@ -68,11 +71,12 @@ impl Context {
        &self,
        class: &str,
        user: &str,
+        service: &str,
        cmd: Vec<String>,
    ) -> Result<SessionChild, Error> {
        let mut scheduled_session = Session::new_external()?;
        scheduled_session
-            .initiate(&self.pam_service, class, user, false, &self.term_mode)
+            .initiate(&service, class, user, false, &self.term_mode)
            .await?;
        loop {
            match scheduled_session.get_state().await {
@@ -93,6 +97,7 @@ impl Context {
        self.start_unauthenticated_session(
            "greeter",
            &self.greeter_user,
+            &self.greeter_service,
            vec![self.greeter_bin.to_string()],
        )
        .await
@@ -128,7 +133,7 @@ impl Context {
        let mut inner = self.inner.write().await;
        inner.current = Some(SessionChildSet {
            child: self
-                .start_unauthenticated_session("user", user, cmd)
+                .start_unauthenticated_session("user", user, &self.pam_service, cmd)
                .await?,
            time: Instant::now(),
            is_greeter: false,
--- a/greetd/src/server.rs
+++ b/greetd/src/server.rs
@@ -197,6 +197,12 @@ pub async fn main(config: Config) -> Result<(), Error> {
        return Err("PAM 'greetd' service missing".into());
    };

+    let greeter_service = if Path::new("/etc/pam.d/greetd-greeter").exists() {
+        "greetd-greeter"
+    } else {
+        service
+    };
+
    let u = users::get_user_by_name(&config.file.default_session.user).ok_or(format!(
        "configured default session user '{}' not found",
        &config.file.default_session.user
@@ -212,6 +218,7 @@ pub async fn main(config: Config) -> Result<(), Error> {
    let ctx = Rc::new(Context::new(
        config.file.default_session.command,
        config.file.default_session.user,
+        greeter_service.to_string(),
        service.to_string(),
        term_mode.clone(),
    ));