[sddm] Fix login/logout issues with PAM stack
Martin Briza
mbriza at fedoraproject.org
Mon Sep 2 16:40:30 UTC 2013
commit 94d65ea99d41a310690672df585a832d20ae1213
Author: Martin Briza <mbriza at redhat.com>
Date: Mon Sep 2 17:19:18 2013 +0200
Fix login/logout issues with PAM stack
Complete PAM conversations and end them properly when the session ends
Ship our own systemd service file especially to provide Conflicts: getty at tty1.service
...AM-handle-in-the-Authenticator-class-and-.patch | 131 ++++++++++++++++++++
sddm.service | 13 ++
sddm.spec | 13 ++-
3 files changed, 156 insertions(+), 1 deletions(-)
---
diff --git a/0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch b/0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch
new file mode 100644
index 0000000..bbe2f0f
--- /dev/null
+++ b/0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch
@@ -0,0 +1,131 @@
+From cf58bfe0b770ae9bad959d4eeccc62e3066c7f2d Mon Sep 17 00:00:00 2001
+From: Martin Briza <mbriza at redhat.com>
+Date: Mon, 2 Sep 2013 17:05:13 +0200
+Subject: [PATCH] Store the PAM handle in the Authenticator class and close the
+ session properly
+
+---
+ src/daemon/Authenticator.cpp | 41 +++++++++++++++++++++++++++++------------
+ src/daemon/Authenticator.h | 7 +++++++
+ 2 files changed, 36 insertions(+), 12 deletions(-)
+
+diff --git a/src/daemon/Authenticator.cpp b/src/daemon/Authenticator.cpp
+index 653a21e..76a9b0e 100644
+--- a/src/daemon/Authenticator.cpp
++++ b/src/daemon/Authenticator.cpp
+@@ -202,43 +202,49 @@ namespace SDDM {
+ Seat *seat = qobject_cast<Seat *>(display->parent());
+
+ #ifdef USE_PAM
+- PamService pam("sddm", user, password, passwordless);
++ if (m_pam)
++ delete m_pam;
++
++ m_pam = new PamService("sddm", user, password, passwordless);
++
++ if (!m_pam)
++ return false;
+
+ if (!passwordless) {
+ // authenticate the applicant
+- if ((pam.result = pam_authenticate(pam.handle, 0)) != PAM_SUCCESS)
++ if ((m_pam->result = pam_authenticate(m_pam->handle, 0)) != PAM_SUCCESS)
+ return false;
+
+- if ((pam.result = pam_acct_mgmt(pam.handle, 0)) == PAM_NEW_AUTHTOK_REQD)
+- pam.result = pam_chauthtok(pam.handle, PAM_CHANGE_EXPIRED_AUTHTOK);
++ if ((m_pam->result = pam_acct_mgmt(m_pam->handle, 0)) == PAM_NEW_AUTHTOK_REQD)
++ m_pam->result = pam_chauthtok(m_pam->handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+
+- if (pam.result != PAM_SUCCESS)
++ if (m_pam->result != PAM_SUCCESS)
+ return false;
+ }
+
+ // set username
+- if ((pam.result = pam_set_item(pam.handle, PAM_USER, qPrintable(user))) != PAM_SUCCESS)
++ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_USER, qPrintable(user))) != PAM_SUCCESS)
+ return false;
+
+ // set credentials
+- if ((pam.result = pam_setcred(pam.handle, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
++ if ((m_pam->result = pam_setcred(m_pam->handle, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
+ return false;
+
+ // set tty
+- if ((pam.result = pam_set_item(pam.handle, PAM_TTY, qPrintable(display->name()))) != PAM_SUCCESS)
++ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_TTY, qPrintable(display->name()))) != PAM_SUCCESS)
+ return false;
+
+ // set display name
+- if ((pam.result = pam_set_item(pam.handle, PAM_XDISPLAY, qPrintable(display->name()))) != PAM_SUCCESS)
++ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_XDISPLAY, qPrintable(display->name()))) != PAM_SUCCESS)
+ return false;
+
+ // open session
+- if ((pam.result = pam_open_session(pam.handle, 0)) != PAM_SUCCESS)
++ if ((m_pam->result = pam_open_session(m_pam->handle, 0)) != PAM_SUCCESS)
+ return false;
+
+ // get mapped user name; PAM may have changed it
+ char *mapped;
+- if ((pam.result = pam_get_item(pam.handle, PAM_USER, (const void **)&mapped)) != PAM_SUCCESS)
++ if ((m_pam->result = pam_get_item(m_pam->handle, PAM_USER, (const void **)&mapped)) != PAM_SUCCESS)
+ return false;
+ #else
+ if (!passwordless) {
+@@ -304,7 +310,7 @@ namespace SDDM {
+ QProcessEnvironment env = QProcessEnvironment::systemEnvironment();
+ #ifdef USE_PAM
+ // get pam environment
+- char **envlist = pam_getenvlist(pam.handle);
++ char **envlist = pam_getenvlist(m_pam->handle);
+
+ // copy it to the env map
+ for (int i = 0; envlist[i] != nullptr; ++i) {
+@@ -399,6 +405,17 @@ namespace SDDM {
+ process->deleteLater();
+ process = nullptr;
+
++#ifdef USE_PAM
++ if (m_pam) {
++ m_pam->result = pam_close_session(m_pam->handle, 0);
++ m_pam->result = pam_setcred(m_pam->handle, PAM_DELETE_CRED);
++ // for some reason this has to be called here too
++ pam_end(m_pam->handle, m_pam->result);
++ delete m_pam;
++ m_pam = nullptr;
++ }
++#endif
++
+ // emit signal
+ emit stopped();
+ }
+diff --git a/src/daemon/Authenticator.h b/src/daemon/Authenticator.h
+index 682fa34..23e91ec 100644
+--- a/src/daemon/Authenticator.h
++++ b/src/daemon/Authenticator.h
+@@ -23,6 +23,9 @@
+ #include <QObject>
+
+ namespace SDDM {
++#ifdef USE_PAM
++ class PamService;
++#endif
+ class Session;
+
+ class AuthenticatorPrivate;
+@@ -48,6 +51,10 @@ namespace SDDM {
+
+ bool m_started { false };
+
++#ifdef USE_PAM
++ PamService *m_pam { nullptr };
++#endif
++
+ Session *process { nullptr };
+ };
+ }
+--
+1.8.3.1
+
diff --git a/sddm.service b/sddm.service
new file mode 100644
index 0000000..5cd43e1
--- /dev/null
+++ b/sddm.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Simple Desktop Display Manager
+Conflicts=getty at tty1.service
+After=systemd-user-sessions.service getty at tty1.service plymouth-quit.service
+
+[Service]
+ExecStart=/usr/bin/sddm
+Restart=always
+IgnoreSIGPIPE=no
+
+[Install]
+Alias=display-manager.service
+
diff --git a/sddm.spec b/sddm.spec
index d6ebe0f..fafee81 100644
--- a/sddm.spec
+++ b/sddm.spec
@@ -3,7 +3,7 @@
Name: sddm
Version: 0.2.0
-Release: 0.3.20130821git%(echo %{sddm_commit} | cut -c-8)%{?dist}
+Release: 0.4.20130821git%(echo %{sddm_commit} | cut -c-8)%{?dist}
License: GPLv2+
Summary: QML based X11 desktop manager
@@ -11,6 +11,11 @@ Url: https://github.com/sddm/sddm
Source0: https://github.com/sddm/sddm/archive/%{sddm_commit}.tar.gz
# Originally kdm config, shamelessly stolen from gdm
Source1: sddm.pam
+# We need to ship our own service file to handle Fedora-specific cases
+Source2: sddm.service
+
+# Upstreamed patch waiting for review, need it right now
+Patch1: 0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch
Provides: service(graphical-login) = sddm
@@ -36,6 +41,7 @@ designer the ability to create smooth, animated user interfaces.
%prep
%setup -q -n %{name}-%{sddm_commit}
+%patch1 -p1 -b .pam_close
%build
mkdir -p %{_target_platform}
@@ -50,6 +56,7 @@ make %{?_smp_mflags} -C %{_target_platform}
%install
make install/fast DESTDIR=%{buildroot} -C %{_target_platform}
install -Dpm 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sddm
+install -Dpm 644 %{SOURCE2} %{buildroot}%{_unitdir}/sddm.service
# tmpfiles
sed -i "s/AuthDir=\/var\/run\/xauth/AuthDir=\/var\/run\/sddm/" %{buildroot}%{_sysconfdir}/sddm.conf
# set the first VT used to be 1
@@ -80,6 +87,10 @@ sed -i "s/^MinimumVT=[0-9]*$/MinimumVT=1/" %{buildroot}%{_sysconfdir}/sddm.conf
%{_datadir}/apps/sddm/themes/*
%changelog
+* Mon Sep 02 2013 Martin Briza <mbriza at redhat.com> - 0.2.0-0.4.20130821gite707e229
+- Complete PAM conversations and end them properly when the session ends
+- Ship our own systemd service file especially to provide Conflicts: getty at tty1.service
+
* Tue Aug 27 2013 Martin Briza <mbriza at redhat.com> - 0.2.0-0.3.20130821gite707e229
- Suppress error output from missing PAMs.
More information about the scm-commits
mailing list