From 94d65ea99d41a310690672df585a832d20ae1213 Mon Sep 17 00:00:00 2001 From: Martin Briza Date: Mon, 2 Sep 2013 17:19:18 +0200 Subject: [PATCH] Fix login/logout issues with PAM stack Complete PAM conversations and end them properly when the session ends Ship our own systemd service file especially to provide Conflicts: getty@tty1.service --- ...ndle-in-the-Authenticator-class-and-.patch | 131 ++++++++++++++++++ sddm.service | 13 ++ sddm.spec | 13 +- 3 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch create mode 100644 sddm.service diff --git a/0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch b/0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch new file mode 100644 index 0000000..bbe2f0f --- /dev/null +++ b/0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch @@ -0,0 +1,131 @@ +From cf58bfe0b770ae9bad959d4eeccc62e3066c7f2d Mon Sep 17 00:00:00 2001 +From: Martin Briza +Date: Mon, 2 Sep 2013 17:05:13 +0200 +Subject: [PATCH] Store the PAM handle in the Authenticator class and close the + session properly + +--- + src/daemon/Authenticator.cpp | 41 +++++++++++++++++++++++++++++------------ + src/daemon/Authenticator.h | 7 +++++++ + 2 files changed, 36 insertions(+), 12 deletions(-) + +diff --git a/src/daemon/Authenticator.cpp b/src/daemon/Authenticator.cpp +index 653a21e..76a9b0e 100644 +--- a/src/daemon/Authenticator.cpp ++++ b/src/daemon/Authenticator.cpp +@@ -202,43 +202,49 @@ namespace SDDM { + Seat *seat = qobject_cast(display->parent()); + + #ifdef USE_PAM +- PamService pam("sddm", user, password, passwordless); ++ if (m_pam) ++ delete m_pam; ++ ++ m_pam = new PamService("sddm", user, password, passwordless); ++ ++ if (!m_pam) ++ return false; + + if (!passwordless) { + // authenticate the applicant +- if ((pam.result = pam_authenticate(pam.handle, 0)) != PAM_SUCCESS) ++ if ((m_pam->result = pam_authenticate(m_pam->handle, 0)) != PAM_SUCCESS) + return false; + +- if ((pam.result = pam_acct_mgmt(pam.handle, 0)) == PAM_NEW_AUTHTOK_REQD) +- pam.result = pam_chauthtok(pam.handle, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if ((m_pam->result = pam_acct_mgmt(m_pam->handle, 0)) == PAM_NEW_AUTHTOK_REQD) ++ m_pam->result = pam_chauthtok(m_pam->handle, PAM_CHANGE_EXPIRED_AUTHTOK); + +- if (pam.result != PAM_SUCCESS) ++ if (m_pam->result != PAM_SUCCESS) + return false; + } + + // set username +- if ((pam.result = pam_set_item(pam.handle, PAM_USER, qPrintable(user))) != PAM_SUCCESS) ++ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_USER, qPrintable(user))) != PAM_SUCCESS) + return false; + + // set credentials +- if ((pam.result = pam_setcred(pam.handle, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) ++ if ((m_pam->result = pam_setcred(m_pam->handle, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) + return false; + + // set tty +- if ((pam.result = pam_set_item(pam.handle, PAM_TTY, qPrintable(display->name()))) != PAM_SUCCESS) ++ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_TTY, qPrintable(display->name()))) != PAM_SUCCESS) + return false; + + // set display name +- if ((pam.result = pam_set_item(pam.handle, PAM_XDISPLAY, qPrintable(display->name()))) != PAM_SUCCESS) ++ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_XDISPLAY, qPrintable(display->name()))) != PAM_SUCCESS) + return false; + + // open session +- if ((pam.result = pam_open_session(pam.handle, 0)) != PAM_SUCCESS) ++ if ((m_pam->result = pam_open_session(m_pam->handle, 0)) != PAM_SUCCESS) + return false; + + // get mapped user name; PAM may have changed it + char *mapped; +- if ((pam.result = pam_get_item(pam.handle, PAM_USER, (const void **)&mapped)) != PAM_SUCCESS) ++ if ((m_pam->result = pam_get_item(m_pam->handle, PAM_USER, (const void **)&mapped)) != PAM_SUCCESS) + return false; + #else + if (!passwordless) { +@@ -304,7 +310,7 @@ namespace SDDM { + QProcessEnvironment env = QProcessEnvironment::systemEnvironment(); + #ifdef USE_PAM + // get pam environment +- char **envlist = pam_getenvlist(pam.handle); ++ char **envlist = pam_getenvlist(m_pam->handle); + + // copy it to the env map + for (int i = 0; envlist[i] != nullptr; ++i) { +@@ -399,6 +405,17 @@ namespace SDDM { + process->deleteLater(); + process = nullptr; + ++#ifdef USE_PAM ++ if (m_pam) { ++ m_pam->result = pam_close_session(m_pam->handle, 0); ++ m_pam->result = pam_setcred(m_pam->handle, PAM_DELETE_CRED); ++ // for some reason this has to be called here too ++ pam_end(m_pam->handle, m_pam->result); ++ delete m_pam; ++ m_pam = nullptr; ++ } ++#endif ++ + // emit signal + emit stopped(); + } +diff --git a/src/daemon/Authenticator.h b/src/daemon/Authenticator.h +index 682fa34..23e91ec 100644 +--- a/src/daemon/Authenticator.h ++++ b/src/daemon/Authenticator.h +@@ -23,6 +23,9 @@ + #include + + namespace SDDM { ++#ifdef USE_PAM ++ class PamService; ++#endif + class Session; + + class AuthenticatorPrivate; +@@ -48,6 +51,10 @@ namespace SDDM { + + bool m_started { false }; + ++#ifdef USE_PAM ++ PamService *m_pam { nullptr }; ++#endif ++ + Session *process { nullptr }; + }; + } +-- +1.8.3.1 + diff --git a/sddm.service b/sddm.service new file mode 100644 index 0000000..5cd43e1 --- /dev/null +++ b/sddm.service @@ -0,0 +1,13 @@ +[Unit] +Description=Simple Desktop Display Manager +Conflicts=getty@tty1.service +After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service + +[Service] +ExecStart=/usr/bin/sddm +Restart=always +IgnoreSIGPIPE=no + +[Install] +Alias=display-manager.service + diff --git a/sddm.spec b/sddm.spec index d6ebe0f..fafee81 100644 --- a/sddm.spec +++ b/sddm.spec @@ -3,7 +3,7 @@ Name: sddm Version: 0.2.0 -Release: 0.3.20130821git%(echo %{sddm_commit} | cut -c-8)%{?dist} +Release: 0.4.20130821git%(echo %{sddm_commit} | cut -c-8)%{?dist} License: GPLv2+ Summary: QML based X11 desktop manager @@ -11,6 +11,11 @@ Url: https://github.com/sddm/sddm Source0: https://github.com/sddm/sddm/archive/%{sddm_commit}.tar.gz # Originally kdm config, shamelessly stolen from gdm Source1: sddm.pam +# We need to ship our own service file to handle Fedora-specific cases +Source2: sddm.service + +# Upstreamed patch waiting for review, need it right now +Patch1: 0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch Provides: service(graphical-login) = sddm @@ -36,6 +41,7 @@ designer the ability to create smooth, animated user interfaces. %prep %setup -q -n %{name}-%{sddm_commit} +%patch1 -p1 -b .pam_close %build mkdir -p %{_target_platform} @@ -50,6 +56,7 @@ make %{?_smp_mflags} -C %{_target_platform} %install make install/fast DESTDIR=%{buildroot} -C %{_target_platform} install -Dpm 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sddm +install -Dpm 644 %{SOURCE2} %{buildroot}%{_unitdir}/sddm.service # tmpfiles sed -i "s/AuthDir=\/var\/run\/xauth/AuthDir=\/var\/run\/sddm/" %{buildroot}%{_sysconfdir}/sddm.conf # set the first VT used to be 1 @@ -80,6 +87,10 @@ sed -i "s/^MinimumVT=[0-9]*$/MinimumVT=1/" %{buildroot}%{_sysconfdir}/sddm.conf %{_datadir}/apps/sddm/themes/* %changelog +* Mon Sep 02 2013 Martin Briza - 0.2.0-0.4.20130821gite707e229 +- Complete PAM conversations and end them properly when the session ends +- Ship our own systemd service file especially to provide Conflicts: getty@tty1.service + * Tue Aug 27 2013 Martin Briza - 0.2.0-0.3.20130821gite707e229 - Suppress error output from missing PAMs.