Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
logind: make ReleaseSession "unprivileged" and allow closing of own s…
…ession Fixes #28514. Quoting #28514 (comment): > Whenever PAM is enabled for a service, we set up the PAM session and then > fork off a process whose only job is to eventually close the PAM session when > the service dies. That services we run with service privileges, both to > minimize attack surface and because we want to use PR_SET_DEATHSIG to be get > a notification via signal whenever the main process dies. But that only works > if we have the same credentials as that main process. > > Now, if pam_systemd runs inside the PAM stack (which it normally does) it's > session close hook will ask logind to synchronously end the session via a bus > call. Currently that call is not accessible to unprivileged clients. And > that's the part we need to relax: allow users to end their own sessions. The check is implemented in a way that allows the kill if the sender is in the target session. I found 'sudo systemctl --user -M "zbyszek@" is-system-running' to be a convenient reproducer. Before: May 16 16:25:26 x1c systemd[1]: run-u24754.service: Deactivated successfully. May 16 16:25:26 x1c dbus-broker[1489]: A security policy denied :1.24757 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.ReleaseSession to org.freedesktop.login1. May 16 16:25:26 x1c (sd-pam)[3036470]: pam_systemd(login:session): Failed to release session: Access denied May 16 16:25:26 x1c systemd[1]: Stopping session-114.scope... May 16 16:25:26 x1c systemd[1]: session-114.scope: Deactivated successfully. May 16 16:25:26 x1c systemd[1]: Stopped session-114.scope. May 16 16:25:26 x1c systemd[1]: session-c151.scope: Deactivated successfully. May 16 16:25:26 x1c systemd-logind[1513]: Session c151 logged out. Waiting for processes to exit. May 16 16:25:26 x1c systemd-logind[1513]: Removed session c151. After: May 16 17:02:15 x1c systemd[1]: run-u24770.service: Deactivated successfully. May 16 17:02:15 x1c systemd[1]: Stopping session-115.scope... May 16 17:02:15 x1c systemd[1]: session-c153.scope: Deactivated successfully. May 16 17:02:15 x1c systemd[1]: session-115.scope: Deactivated successfully. May 16 17:02:15 x1c systemd[1]: Stopped session-115.scope. May 16 17:02:15 x1c systemd-logind[1513]: Session c153 logged out. Waiting for processes to exit. May 16 17:02:15 x1c systemd-logind[1513]: Removed session c153. Edit: this seems to also fix #8598. It seems that with the call to ReleaseSession, we wait for the pam session close hooks to finish. I inserted a 'sleep(10)' after the call to ReleaseSession in pam_systemd, and things block on that, nothing is killed prematurely.
- Loading branch information