Security concerns were raised regarding the initial session being
executed whenever greetd was restarted (when signing out of one's DE,
when greetd or a greeter restarted or crashed, ...).
This creates a runfile (by default at /run/greetd.run) either when the
initial session is executed or when a greeter is started. Whenever this
file exists, the initial session is ignored (and the configured greeter
is always run).
There is no secret material that needs to be unreadable except to the
daemon, but if there were, the current instructions never recommended
setting a locked down mode.
The daemon doesn't need write access either.
Recommending chown rather than making the config world readable as is
typical for bog standard system configs, is confusing and inconsistent
with e.g. the in house AUR packaging. It also might be erroneously
interpreted as a requirement, which is challenging for packaging systems
that don't support distributing files/directories owned by non-root
users.
This adds a system-wide toggle for whether the system profile should be
sourced by /bin/sh before running the command. Note that the command
will still be run with /bin/sh, regardless of profile sourcing.
The option defaults to true for now.
Example usage:
[general]
source_profile = false
Check the existence and attempt to use `greetd-greeter` pam service file
for greeter sessions. The fallback is a standard greetd pam service,
i.e. `greetd` or `login`.
Rationale: proper configurations for different session types can vary in
acceptable modules. Certain modules like `pam_selinux` are actually
harmful for an unprivileged greeter session as it removes the SELinux
security label from the greeter processes.
The decision to start a session worker or main process is taken after
the config module has been queried. This means that the regular process
for loading config files is also run. This can lead to errors if the
config file is not in the default location, as the session worker does
not receive the config argument.
Skip reading config files if the session-worker flag is set.
Use of per-pid socket paths allows multiple greetd instances to be
started without accidentally trampling on eachothers' socket paths.
This has the added benefit of rendering the socket-path configuration
unnecessary.
Delete the listener on Drop for cleanup.
They look alike, but we really have no use for toml. Swapping it for
manual decoding with rust-ini ends up making the code simpler, and cuts
binary size with >100KiB on my local release builds.
ini also allows us to have quote-free strings, which look more correct
for enums.
