pam_xdg: v0.8.2

README

@@ -1,12 +1,14 @@
 A repo of some small tools
 ==========================
 
-pam_xdg.c (plus support) v0.8.1 (2022-08-02):
+pam_xdg.c (plus support) v0.8.2 (2024-02-27):
    XDG Base Directories support via PAM: creation of $XDG_RUNTIME_DIRs,
    injection of environment variables into sessions.  libpam and OpenPAM.
    [- port to OpenPAM (BSD).  (Jan Beich)]
    [- Allow non-XDG-standard paths via make options. (Jan Beich)]
-   - Support XDG standard 0.8; make ball release v0.8.1.
+   [- Support XDG standard 0.8]
+   - Add comments; simplify one string build (possible due to "allow
+     non-xdg-standard paths.."); make ball release v0.8.2.
 
 s-cdda.c (plus support) v0.8.5 (2021-01-28):
    Access digital audio CDs (TOC, MCN, ISRC, CD-TEXT, audio tracks).

pam_xdg.8

@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .
-.Dd August 2, 2022
+.Dd February 27, 2024
 .Dt PAM_XDG 8
 .Os
 .

pam_xdg.c

@@ -4,8 +4,10 @@
  *@ - Supports libpam (Linux) and OpenPAM.
  *@ - Requires C preprocessor with __VA_ARGS__ support!
  *@ - Uses "rm -rf" to drop per-user directories. XXX Unroll this?  nftw?
+ *@   Problems are (also dependent on operating system)
+ *@   E[MN]FILE failures, ordering issues, mode changes, mounts, subvolumes..
  *
- * Copyright (c) 2021 - 2022 Steffen Nurpmeso <steffen@sdaoden.eu>.
+ * Copyright (c) 2021 - 2024 Steffen Nurpmeso <steffen@sdaoden.eu>.
  * SPDX-License-Identifier: ISC
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -256,6 +258,8 @@ a_xdg(int isopen, pam_handle_t *pamh, int flags, int argc, char const **argv){
 		}
 		f |= a_MPV;
 
+		/* (On at least Linux, in containers/namespaces and whatever weird execution environments,
+		 * we need to do this to get it graceful (i think of it as a PAM bug; undocumented, anyway)) */
 		oumask = umask(0000);
 		oegid = getegid();
 		setegid(0);
@@ -288,14 +292,11 @@ a_xdg(int isopen, pam_handle_t *pamh, int flags, int argc, char const **argv){
 
 		/* XDG_RUNTIME_DIR */
 		cp = xbuf;
-		memcpy(cp, "XDG_RUNTIME_DIR=", sizeof("XDG_RUNTIME_DIR=") -1);
-		cp += sizeof("XDG_RUNTIME_DIR=") -1;
-		memcpy(cp, a_RUNTIME_DIR_OUTER, sizeof(a_RUNTIME_DIR_OUTER) -1);
-		cp += sizeof(a_RUNTIME_DIR_OUTER) -1;
-		*cp++ = '/';
-		memcpy(cp, a_RUNTIME_DIR_BASE, sizeof(a_RUNTIME_DIR_BASE) -1);
-		cp += sizeof(a_RUNTIME_DIR_BASE) -1;
-		*cp++ = '/';
+		memcpy(cp, "XDG_RUNTIME_DIR=" a_RUNTIME_DIR_OUTER "/" a_RUNTIME_DIR_BASE "/",
+			sizeof("XDG_RUNTIME_DIR=") -1 + sizeof(a_RUNTIME_DIR_OUTER) -1 + 1 +
+				sizeof(a_RUNTIME_DIR_BASE) -1 + 1);
+		cp += sizeof("XDG_RUNTIME_DIR=") -1 + sizeof(a_RUNTIME_DIR_OUTER) -1 + 1 +
+				sizeof(a_RUNTIME_DIR_BASE) -1 + 1;
 		memcpy(cp, &uidbuf[4], uidbuflen);
 
 		if(pam_putenv(pamh, xbuf) != PAM_SUCCESS)
@@ -415,10 +416,10 @@ a_xdg(int isopen, pam_handle_t *pamh, int flags, int argc, char const **argv){
 		else if(sessions > 0)
 			--sessions;
 
-		if(!isopen && sessions == 0){ /* former.. hmmm. */
+		if(/*!isopen &&*/ sessions == 0){
 			/* Ridiculously simple, but everything else would be the opposite.
-			 * Ie, E[MN]FILE failures, or whatever else */
-			char const cmd[] = "rm -rf " a_RUNTIME_DIR_OUTER "/" a_RUNTIME_DIR_BASE "/";
+			 * Ie, E[MN]FILE failures, ordering issues, mode changes, mounts, subvolumes.. */
+			static char const cmd[] = "rm -rf " a_RUNTIME_DIR_OUTER "/" a_RUNTIME_DIR_BASE "/";
 
 			memcpy(xbuf, cmd, sizeof(cmd) -1);
 			memcpy(&xbuf[sizeof(cmd) -1], &uidbuf[4], uidbuflen +1);

pam_xdg.makefile

@@ -29,9 +29,12 @@ CFLAGS = -DNDEBUG \
 	-fno-asynchronous-unwind-tables -fno-unwind-tables \
 	-fno-common \
 	-fstrict-aliasing -fstrict-overflow \
-	-fstack-protector-strong -D_FORTIFY_SOURCE=2 -fPIE
+	-fstack-protector-strong \
+	-D_FORTIFY_SOURCE=3 \
+	-fcf-protection=full \
+	-fPIE
 LDFLAGS = -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wl,--as-needed \
-	-Wl,--enable-new-dtags -fpie -shared
+	-Wl,--enable-new-dtags -pie -fPIE -shared
 LDLIBS = -lpam
 
 INSTALL = install