Commit 3add4d21 authored by Lennart Poettering's avatar Lennart Poettering

pam: optionally keep processes of root user around

parent d8cfa085
......@@ -4,8 +4,6 @@
* figure out what happened to bluez patch
* in pam_systemd: add option to kill normal user sessions on logout but only those with uid != 0
* introduce StandardOutput=syslog+console and StandardOutput=kmsg+console to support fsck output at boot
* Patch systemd-fsck to use -C and pass console fd to it
......
......@@ -201,6 +201,20 @@
logout.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>keep-root=</option></term>
<listitem><para>Takes a boolean
argument. If true, all processes
created by the root user (UID 0) during his
session and from his session will be
kept around after he logged out. This
option allows cancelling the effect of
<option>kill-session=1</option> and
<option>kill-user=1</option> for the
root user.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>controllers=</option></term>
......@@ -230,7 +244,8 @@
<para>If the options are omitted they default to
<option>create-session=1</option>,
<option>kill-session=0</option>,
<option>kill-user=0</option>.</para>
<option>kill-user=0</option>,
<option>keep-root=1</option>.</para>
</refsect1>
<refsect1>
......
......@@ -42,6 +42,7 @@ static int parse_argv(pam_handle_t *handle,
bool *create_session,
bool *kill_session,
bool *kill_user,
bool *keep_root,
char ***controllers) {
unsigned i;
......@@ -80,6 +81,15 @@ static int parse_argv(pam_handle_t *handle,
if (kill_user)
*kill_user = k;
} else if (startswith(argv[i], "keep-root=")) {
if ((k = parse_boolean(argv[i] + 10)) < 0) {
pam_syslog(handle, LOG_ERR, "Failed to parse keep-root= argument.");
return k;
}
if (keep_root)
*keep_root = k;
} else if (startswith(argv[i], "controllers=")) {
if (controllers) {
......@@ -327,7 +337,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
if (sd_booted() <= 0)
return PAM_SUCCESS;
if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, &controllers) < 0)
if (parse_argv(handle, argc, argv, &create_session, NULL, NULL, NULL, &controllers) < 0)
return PAM_SESSION_ERR;
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
......@@ -462,6 +472,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
const char *username = NULL;
bool kill_session = false;
bool kill_user = false;
bool keep_root = true;
int lock_fd = -1, r;
char *session_path = NULL, *nosession_path = NULL, *user_path = NULL;
const char *id;
......@@ -475,7 +486,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
if (sd_booted() <= 0)
return PAM_SUCCESS;
if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &controllers) < 0)
if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user, &keep_root, &controllers) < 0)
return PAM_SESSION_ERR;
if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS)
......@@ -510,7 +521,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
goto finish;
}
if (kill_session) {
if (kill_session && (pw->pw_uid != 0 || !keep_root)) {
pam_syslog(handle, LOG_INFO, "Killing remaining processes of user session %s of %s.", id, username);
/* Kill processes in session cgroup, and delete it */
......@@ -544,7 +555,7 @@ _public_ PAM_EXTERN int pam_sm_close_session(
pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r));
/* Kill user processes not attached to any session */
if (kill_user && r == 0) {
if (kill_user && r == 0 && (pw->pw_uid != 0 || !keep_root)) {
/* Kill user cgroup */
if ((r = cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, user_path, true)) < 0)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment