rpms
/
sddm
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix login/logout issues with PAM stack

Browse Source 
Complete PAM conversations and end them properly when the session ends

Ship our own systemd service file especially to provide Conflicts: getty@tty1.service
epel9
Martin Briza 12 years ago
parent ab368d26b8
commit 94d65ea99d
3 changed files with 156 additions and 1 deletions
Show Stats Download Patch File Download Diff File

131
0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch
Unescape View File

@ -0,0 +1,131 @@
From cf58bfe0b770ae9bad959d4eeccc62e3066c7f2d Mon Sep 17 00:00:00 2001
From: Martin Briza <mbriza@redhat.com>
Date: Mon, 2 Sep 2013 17:05:13 +0200
Subject: [PATCH] Store the PAM handle in the Authenticator class and close the
session properly
---
src/daemon/Authenticator.cpp | 41 +++++++++++++++++++++++++++++------------
src/daemon/Authenticator.h | 7 +++++++
2 files changed, 36 insertions(+), 12 deletions(-)
diff --git a/src/daemon/Authenticator.cpp b/src/daemon/Authenticator.cpp
index 653a21e..76a9b0e 100644
--- a/src/daemon/Authenticator.cpp
+++ b/src/daemon/Authenticator.cpp
@@ -202,43 +202,49 @@ namespace SDDM {
Seat *seat = qobject_cast<Seat *>(display->parent());
#ifdef USE_PAM
- PamService pam("sddm", user, password, passwordless);
+ if (m_pam)
+ delete m_pam;
+
+ m_pam = new PamService("sddm", user, password, passwordless);
+
+ if (!m_pam)
+ return false;
if (!passwordless) {
// authenticate the applicant
- if ((pam.result = pam_authenticate(pam.handle, 0)) != PAM_SUCCESS)
+ if ((m_pam->result = pam_authenticate(m_pam->handle, 0)) != PAM_SUCCESS)
return false;
- if ((pam.result = pam_acct_mgmt(pam.handle, 0)) == PAM_NEW_AUTHTOK_REQD)
- pam.result = pam_chauthtok(pam.handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if ((m_pam->result = pam_acct_mgmt(m_pam->handle, 0)) == PAM_NEW_AUTHTOK_REQD)
+ m_pam->result = pam_chauthtok(m_pam->handle, PAM_CHANGE_EXPIRED_AUTHTOK);
- if (pam.result != PAM_SUCCESS)
+ if (m_pam->result != PAM_SUCCESS)
return false;
}
// set username
- if ((pam.result = pam_set_item(pam.handle, PAM_USER, qPrintable(user))) != PAM_SUCCESS)
+ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_USER, qPrintable(user))) != PAM_SUCCESS)
return false;
// set credentials
- if ((pam.result = pam_setcred(pam.handle, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
+ if ((m_pam->result = pam_setcred(m_pam->handle, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
return false;
// set tty
- if ((pam.result = pam_set_item(pam.handle, PAM_TTY, qPrintable(display->name()))) != PAM_SUCCESS)
+ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_TTY, qPrintable(display->name()))) != PAM_SUCCESS)
return false;
// set display name
- if ((pam.result = pam_set_item(pam.handle, PAM_XDISPLAY, qPrintable(display->name()))) != PAM_SUCCESS)
+ if ((m_pam->result = pam_set_item(m_pam->handle, PAM_XDISPLAY, qPrintable(display->name()))) != PAM_SUCCESS)
return false;
// open session
- if ((pam.result = pam_open_session(pam.handle, 0)) != PAM_SUCCESS)
+ if ((m_pam->result = pam_open_session(m_pam->handle, 0)) != PAM_SUCCESS)
return false;
// get mapped user name; PAM may have changed it
char *mapped;
- if ((pam.result = pam_get_item(pam.handle, PAM_USER, (const void **)&mapped)) != PAM_SUCCESS)
+ if ((m_pam->result = pam_get_item(m_pam->handle, PAM_USER, (const void **)&mapped)) != PAM_SUCCESS)
return false;
#else
if (!passwordless) {
@@ -304,7 +310,7 @@ namespace SDDM {
QProcessEnvironment env = QProcessEnvironment::systemEnvironment();
#ifdef USE_PAM
// get pam environment
- char **envlist = pam_getenvlist(pam.handle);
+ char **envlist = pam_getenvlist(m_pam->handle);
// copy it to the env map
for (int i = 0; envlist[i] != nullptr; ++i) {
@@ -399,6 +405,17 @@ namespace SDDM {
process->deleteLater();
process = nullptr;
+#ifdef USE_PAM
+ if (m_pam) {
+ m_pam->result = pam_close_session(m_pam->handle, 0);
+ m_pam->result = pam_setcred(m_pam->handle, PAM_DELETE_CRED);
+ // for some reason this has to be called here too
+ pam_end(m_pam->handle, m_pam->result);
+ delete m_pam;
+ m_pam = nullptr;
+ }
+#endif
+
// emit signal
emit stopped();
}
diff --git a/src/daemon/Authenticator.h b/src/daemon/Authenticator.h
index 682fa34..23e91ec 100644
--- a/src/daemon/Authenticator.h
+++ b/src/daemon/Authenticator.h
@@ -23,6 +23,9 @@
#include <QObject>
namespace SDDM {
+#ifdef USE_PAM
+ class PamService;
+#endif
class Session;
class AuthenticatorPrivate;
@@ -48,6 +51,10 @@ namespace SDDM {
bool m_started { false };
+#ifdef USE_PAM
+ PamService *m_pam { nullptr };
+#endif
+
Session *process { nullptr };
};
}
--
1.8.3.1

13
sddm.service
Unescape View File

@ -0,0 +1,13 @@
[Unit]
Description=Simple Desktop Display Manager
Conflicts=getty@tty1.service
After=systemd-user-sessions.service getty@tty1.service plymouth-quit.service
[Service]
ExecStart=/usr/bin/sddm
Restart=always
IgnoreSIGPIPE=no
[Install]
Alias=display-manager.service

13
sddm.spec
Unescape View File

@ -3,7 +3,7 @@
Name: sddm Name: sddm
Version: 0.2.0 Version: 0.2.0
Release: 0.3.20130821git%(echo %{sddm_commit} | cut -c-8)%{?dist} Release: 0.4.20130821git%(echo %{sddm_commit} | cut -c-8)%{?dist}
License: GPLv2+ License: GPLv2+
Summary: QML based X11 desktop manager Summary: QML based X11 desktop manager
@ -11,6 +11,11 @@ Url: https://github.com/sddm/sddm
Source0: https://github.com/sddm/sddm/archive/%{sddm_commit}.tar.gz Source0: https://github.com/sddm/sddm/archive/%{sddm_commit}.tar.gz
# Originally kdm config, shamelessly stolen from gdm # Originally kdm config, shamelessly stolen from gdm
Source1: sddm.pam Source1: sddm.pam
# We need to ship our own service file to handle Fedora-specific cases
Source2: sddm.service
# Upstreamed patch waiting for review, need it right now
Patch1: 0001-Store-the-PAM-handle-in-the-Authenticator-class-and-.patch
Provides: service(graphical-login) = sddm Provides: service(graphical-login) = sddm
@ -36,6 +41,7 @@ designer the ability to create smooth, animated user interfaces.
%prep %prep
%setup -q -n %{name}-%{sddm_commit} %setup -q -n %{name}-%{sddm_commit}
%patch1 -p1 -b .pam_close
%build %build
mkdir -p %{_target_platform} mkdir -p %{_target_platform}
@ -50,6 +56,7 @@ make %{?_smp_mflags} -C %{_target_platform}
%install %install
make install/fast DESTDIR=%{buildroot} -C %{_target_platform} make install/fast DESTDIR=%{buildroot} -C %{_target_platform}
install -Dpm 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sddm install -Dpm 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sddm
install -Dpm 644 %{SOURCE2} %{buildroot}%{_unitdir}/sddm.service
# tmpfiles # tmpfiles
sed -i "s/AuthDir=\/var\/run\/xauth/AuthDir=\/var\/run\/sddm/" %{buildroot}%{_sysconfdir}/sddm.conf sed -i "s/AuthDir=\/var\/run\/xauth/AuthDir=\/var\/run\/sddm/" %{buildroot}%{_sysconfdir}/sddm.conf
# set the first VT used to be 1 # set the first VT used to be 1
@ -80,6 +87,10 @@ sed -i "s/^MinimumVT=[0-9]*$/MinimumVT=1/" %{buildroot}%{_sysconfdir}/sddm.conf
%{_datadir}/apps/sddm/themes/* %{_datadir}/apps/sddm/themes/*
%changelog %changelog
* Mon Sep 02 2013 Martin Briza <mbriza@redhat.com> - 0.2.0-0.4.20130821gite707e229
- Complete PAM conversations and end them properly when the session ends
- Ship our own systemd service file especially to provide Conflicts: getty@tty1.service
* Tue Aug 27 2013 Martin Briza <mbriza@redhat.com> - 0.2.0-0.3.20130821gite707e229 * Tue Aug 27 2013 Martin Briza <mbriza@redhat.com> - 0.2.0-0.3.20130821gite707e229
- Suppress error output from missing PAMs. - Suppress error output from missing PAMs.

Write Preview
Loading…
Cancel
Save