PAM requires a number of environment variables set, and greeters need to
know the greetd socket path. All these environment variables were set
for all sessions started by greetd.
Only set the greetd socket path for greeter sessions, and remove some
environment variables only need for PAM before starting a session.
If EOF is provided when the user is prompted agreety would panic. This
commit fixes that by returning an error instead causing graceful exit(1)
instead.
In the event several greeters are installed, each needing a specific PAM
config, it could be useful to have each greeter having its own config
file (which is already possible), each one indicating the PAM config to
be used with this greeter (which is not possible for now).
This commit adds a new (optional) "service" key to the "general",
"default_session" and "initial_session" sections so users and/or
distributions can have more flexibility regarding PAM config management.
In case this option is missing from the config file, we fall back to the
default "greetd" and "greetd-greeter" config names.
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
By default, filesystems user-mounted via FUSE are not accessible to
root. [1] Such user mounts have been common for encrypted home folders
since 2003. [2][3][4] This change accommodates users with those home
folders.
Greetd previously sent affected users into the root directory ("/")
because their home folders were inaccessible to root.
Now the directory operation occurs after a user's privileges were
assumed. Users find themselves in their home folders after logging in.
Since the call to PAM's open_session now takes place before any change
of folders, the value of the current directory is no longer being
exposed to the modules via the environment variable $PWD, but the PAM
environment is distinct from the process environment.
This commit was tested on Guix without commit 424ecac4 since the Rust
crate for nix 0.20 was not immediately available there.
[1] https://unix.stackexchange.com/a/17423
[2] https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
[3] https://en.wikipedia.org/wiki/EncFS
[4] https://nuetzlich.net/gocryptfs/
Some greeters were sending CancelSession in response to Error, likely
because it was necessary for a consistent internal state of fakegreet.
Change fakegreet to comply with the protocol doc, which states that the
sessions are automatically cancelled on error, and remove the need for
the redundant CancelSession.
If the client was compiled with the previous version of the protocol,
initialize StartSession.env with the default value instead of failing to
deserialize the message.
$SHELL variable is not set yet at this moment, so it is hardly a good
idea to use it. /bin/sh is completely generally available shell on all
UNIX platforms.
This adds "switch" true/false flag in "terminal" section of
configuration file.
Flag controls whether terminal under control should be switched to
when greetd starts. If "switch" set to true, greetd behaves as it
did before, on start vt_setactivate will be called. If "switch" set
to false, and terminal under control by greetd is not currently
active VT, greetd will wait for terminal to become active with
vt_waitactive, which translates to VT_WAITACTIVE ioctl call.
* greetd/src/config/mod.rs: add "switch" flag
* greetd/src/server.rs: add using "switch" flag and waiting for active
* greetd/src/terminal/mod.rs: add vt_waitactive method
* man/greetd-5.scd: mention "switch" configuration option
Security concerns were raised regarding the initial session being
executed whenever greetd was restarted (when signing out of one's DE,
when greetd or a greeter restarted or crashed, ...).
This creates a runfile (by default at /run/greetd.run) either when the
initial session is executed or when a greeter is started. Whenever this
file exists, the initial session is ignored (and the configured greeter
is always run).
There is no secret material that needs to be unreadable except to the
daemon, but if there were, the current instructions never recommended
setting a locked down mode.
The daemon doesn't need write access either.
Recommending chown rather than making the config world readable as is
typical for bog standard system configs, is confusing and inconsistent
with e.g. the in house AUR packaging. It also might be erroneously
interpreted as a requirement, which is challenging for packaging systems
that don't support distributing files/directories owned by non-root
users.
This adds a system-wide toggle for whether the system profile should be
sourced by /bin/sh before running the command. Note that the command
will still be run with /bin/sh, regardless of profile sourcing.
The option defaults to true for now.
Example usage:
[general]
source_profile = false
Check the existence and attempt to use `greetd-greeter` pam service file
for greeter sessions. The fallback is a standard greetd pam service,
i.e. `greetd` or `login`.
Rationale: proper configurations for different session types can vary in
acceptable modules. Certain modules like `pam_selinux` are actually
harmful for an unprivileged greeter session as it removes the SELinux
security label from the greeter processes.
The decision to start a session worker or main process is taken after
the config module has been queried. This means that the regular process
for loading config files is also run. This can lead to errors if the
config file is not in the default location, as the session worker does
not receive the config argument.
Skip reading config files if the session-worker flag is set.
Use of per-pid socket paths allows multiple greetd instances to be
started without accidentally trampling on eachothers' socket paths.
This has the added benefit of rendering the socket-path configuration
unnecessary.
Delete the listener on Drop for cleanup.