[PATCH greetd v2] Use additional pam service config for greeter
Export this patch
Check the existence and attempt to use `greetd-greeter` pam service file
for greeter sessions. The fallback is a standard greetd pam service,
i.e. `greetd` or `login`.
Rationale: proper configurations for different session types can vary in
acceptable modules. Certain modules like `pam_selinux` are actually
harmful for an unprivileged greeter session as it removes the SELinux
security label from the greeter processes.
---
Autologin service config is dropped in v2 patch as greetd already skips
pam_authenticate for the initial session and there's no reason to
provide a separate pam service to achieve that.
greetd/src/context.rs | 9 +++++++--
greetd/src/server.rs | 7 +++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/greetd/src/context.rs b/greetd/src/context.rs
index 0299ea8..42067dc 100644
--- a/greetd/src/context.rs
+++ b/greetd/src/context.rs
@@ -37,6 +37,7 @@ pub struct Context {
inner: RwLock<ContextInner>,
greeter_bin: String,
greeter_user: String,
+ greeter_service: String,
pam_service: String,
term_mode: TerminalMode,
}
@@ -45,6 +46,7 @@ impl Context {
pub fn new(
greeter_bin: String,
greeter_user: String,
+ greeter_service: String,
pam_service: String,
term_mode: TerminalMode,
) -> Context {
@@ -56,6 +58,7 @@ impl Context {
}),
greeter_bin,
greeter_user,
+ greeter_service,
pam_service,
term_mode,
}
@@ -68,11 +71,12 @@ impl Context {
&self,
class: &str,
user: &str,
+ service: &str,
cmd: Vec<String>,
) -> Result<SessionChild, Error> {
let mut scheduled_session = Session::new_external()?;
scheduled_session
- .initiate(&self.pam_service, class, user, false, &self.term_mode)
+ .initiate(&service, class, user, false, &self.term_mode)
.await?;
loop {
match scheduled_session.get_state().await {
@@ -93,6 +97,7 @@ impl Context {
self.start_unauthenticated_session(
"greeter",
&self.greeter_user,
+ &self.greeter_service,
vec![self.greeter_bin.to_string()],
)
.await
@@ -128,7 +133,7 @@ impl Context {
let mut inner = self.inner.write().await;
inner.current = Some(SessionChildSet {
child: self
- .start_unauthenticated_session("user", user, cmd)
+ .start_unauthenticated_session("user", user, &self.pam_service, cmd)
.await?,
time: Instant::now(),
is_greeter: false,
diff --git a/greetd/src/server.rs b/greetd/src/server.rs
index e734eea..45e9a0d 100644
--- a/greetd/src/server.rs
+++ b/greetd/src/server.rs
@@ -197,6 +197,12 @@ pub async fn main(config: Config) -> Result<(), Error> {
return Err("PAM 'greetd' service missing".into());
};
+ let greeter_service = if Path::new("/etc/pam.d/greetd-greeter").exists() {
+ "greetd-greeter"
+ } else {
+ service
+ };
+
let u = users::get_user_by_name(&config.file.default_session.user).ok_or(format!(
"configured default session user '{}' not found",
&config.file.default_session.user
@@ -212,6 +218,7 @@ pub async fn main(config: Config) -> Result<(), Error> {
let ctx = Rc::new(Context::new(
config.file.default_session.command,
config.file.default_session.user,
+ greeter_service.to_string(),
service.to_string(),
term_mode.clone(),
));
--
2.26.2
greetd/patches: FAILED in 2m40s
[Use additional pam service config for greeter][0] v2 from [Aleksei Bavshin][1]
[0]: https://lists.sr.ht/~kennylevinsen/greetd/patches/13995
[1]: mailto:alebastr89@gmail.com
✗ #305747 FAILED greetd/patches/archlinux.yml https://builds.sr.ht/~kennylevinsen/job/305747
✓ #305746 SUCCESS greetd/patches/alpine.yml https://builds.sr.ht/~kennylevinsen/job/305746
Applied, thanks!