~kennylevinsen/greetd

greetd: Use additional pam service configurations v1 PROPOSED

Aleksei Bavshin
Aleksei Bavshin: 1
 Use additional pam service configurations

 2 files changed, 30 insertions(+), 4 deletions(-)
#305705 alpine.yml success
#305706 archlinux.yml failed
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~kennylevinsen/greetd/patches/13991/mbox | git am -3
Learn more about email & git
View this thread in the archives

[PATCH greetd] Use additional pam service configurations Export this patch

Aleksei Bavshin
Check the existence and attempt to use following configuration files:
  - `greetd-greeter` for greeter sessions
  - `greetd-autologin` for initial session
The fallback is a standard greetd pam service, i.e. `greetd` or `login`

Rationale: proper configurations for different session types can vary in
acceptable modules. Auto-login session is not supposed to include
regular auth substack. Also, modules that depend on the password value
from the system-auth substack may be broken in the autologin session.
Certain modules like `pam_selinux` are actually harmful for an
unprivileged greeter session as it removes the SELinux security label
from the greeter processes.

The behavior implemented as well as the configuration names are inspired
by the existing display manager implementations.
---
 greetd/src/context.rs | 16 +++++++++++++---
 greetd/src/server.rs  | 18 +++++++++++++++++-
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/greetd/src/context.rs b/greetd/src/context.rs
index 0299ea8..9587e5a 100644
--- a/greetd/src/context.rs
+++ b/greetd/src/context.rs
@@ -37,6 +37,7 @@ pub struct Context {
    inner: RwLock<ContextInner>,
    greeter_bin: String,
    greeter_user: String,
    greeter_service: String,
    pam_service: String,
    term_mode: TerminalMode,
}
@@ -45,6 +46,7 @@ impl Context {
    pub fn new(
        greeter_bin: String,
        greeter_user: String,
        greeter_service: String,
        pam_service: String,
        term_mode: TerminalMode,
    ) -> Context {
@@ -56,6 +58,7 @@ impl Context {
            }),
            greeter_bin,
            greeter_user,
            greeter_service,
            pam_service,
            term_mode,
        }
@@ -68,11 +71,12 @@ impl Context {
        &self,
        class: &str,
        user: &str,
        service: &str,
        cmd: Vec<String>,
    ) -> Result<SessionChild, Error> {
        let mut scheduled_session = Session::new_external()?;
        scheduled_session
            .initiate(&self.pam_service, class, user, false, &self.term_mode)
            .initiate(&service, class, user, false, &self.term_mode)
            .await?;
        loop {
            match scheduled_session.get_state().await {
@@ -93,6 +97,7 @@ impl Context {
        self.start_unauthenticated_session(
            "greeter",
            &self.greeter_user,
            &self.greeter_service,
            vec![self.greeter_bin.to_string()],
        )
        .await
@@ -117,7 +122,12 @@ impl Context {
    }

    /// Directly start an initial session, bypassing the normal scheduling.
    pub async fn start_user_session(&self, user: &str, cmd: Vec<String>) -> Result<(), Error> {
    pub async fn start_user_session(
        &self,
        user: &str,
        service: &str,
        cmd: Vec<String>,
    ) -> Result<(), Error> {
        {
            let inner = self.inner.read().await;
            if inner.current.is_some() {
@@ -128,7 +138,7 @@ impl Context {
        let mut inner = self.inner.write().await;
        inner.current = Some(SessionChildSet {
            child: self
                .start_unauthenticated_session("user", user, cmd)
                .start_unauthenticated_session("user", user, service, cmd)
                .await?,
            time: Instant::now(),
            is_greeter: false,
diff --git a/greetd/src/server.rs b/greetd/src/server.rs
index e734eea..8545225 100644
--- a/greetd/src/server.rs
+++ b/greetd/src/server.rs
@@ -197,6 +197,18 @@ pub async fn main(config: Config) -> Result<(), Error> {
        return Err("PAM 'greetd' service missing".into());
    };

    let greeter_service = if Path::new("/etc/pam.d/greetd-greeter").exists() {
        "greetd-greeter"
    } else {
        service
    };

    let autologin_service = if Path::new("/etc/pam.d/greetd-autologin").exists() {
        "greetd-autologin"
    } else {
        service
    };

    let u = users::get_user_by_name(&config.file.default_session.user).ok_or(format!(
        "configured default session user '{}' not found",
        &config.file.default_session.user
@@ -212,12 +224,16 @@ pub async fn main(config: Config) -> Result<(), Error> {
    let ctx = Rc::new(Context::new(
        config.file.default_session.command,
        config.file.default_session.user,
        greeter_service.to_string(),
        service.to_string(),
        term_mode.clone(),
    ));

    if let Some(s) = config.file.initial_session {
        if let Err(e) = ctx.start_user_session(&s.user, vec![s.command]).await {
        if let Err(e) = ctx
            .start_user_session(&s.user, autologin_service, vec![s.command])
            .await
        {
            eprintln!("unable to start greeter: {}", e);
            reset_vt(&term_mode).map_err(|e| format!("unable to reset VT: {}", e))?;

-- 
2.26.2
builds.sr.ht
greetd/patches: FAILED in 2m46s

[Use additional pam service configurations][0] from [Aleksei Bavshin][1]

[0]: https://lists.sr.ht/~kennylevinsen/greetd/patches/13991
[1]: mailto:alebastr89@gmail.com

✓ #305705 SUCCESS greetd/patches/alpine.yml    https://builds.sr.ht/~kennylevinsen/job/305705
✗ #305706 FAILED  greetd/patches/archlinux.yml https://builds.sr.ht/~kennylevinsen/job/305706