Page MenuHomeFreeBSD
Differential D44011

pam: Add pam_xdg module
ClosedPublic
Actions

Authored by manu on Feb 21 2024, 2:55 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, May 31, 9:08 AM
Unknown Object (File)
Thu, May 30, 11:07 PM
Unknown Object (File)
Thu, May 30, 3:02 AM
Unknown Object (File)
Sat, May 25, 8:34 PM
Unknown Object (File)
Fri, May 24, 8:07 AM
Unknown Object (File)
Thu, May 23, 3:17 PM
Unknown Object (File)
Thu, May 23, 9:32 AM
Unknown Object (File)
Thu, May 23, 9:32 AM
View All 54 Files
Subscribers
agh_riseup.net
arrowd
imp
jbeich
pauamma_gundo.com

Details

Reviewers
des
pauamma_gundo.com
Group Reviewers
x11
manpages
Commits
rG155779894faa: pam: Add pam_xdg module
rG6e69612d5df1: pam: Add pam_xdg module
Summary

This is a module to setup the XDG directories and environment variables.
For now the only usage is to have a XDG_RUNTIME_DIR environment setup at
user login.
All other environment variable have a default fallback so no need to export
them in this module.
The directory is created according to the XDG Base directory specification.

The default base directory is /var/run/xdg/<username> but can be configured
using the runtime_dir=<dir> module option.

According to the spec the directory *must* not survive a reboot so adding
var_run_enable="YES" to rc.conf is highly recommanded.

Sponsored by: Beckhoff Automation GmbH & Co. KG

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
des added a reviewer: manpages.Feb 21 2024, 8:29 PM
des added inline comments.
lib/libpam/modules/pam_xdg/pam_xdg.8
2

Please add SPDX tags as per https://docs.freebsd.org/en/articles/license-guide/

40

.Pa

lib/libpam/modules/pam_xdg/pam_xdg.c
29

not needed

64

please use openpam_get_option(3)

74

space

110

where is this freed?

183

please use openpam_get_option(3)

193

space

244

runtime_dir_prefix is not freed

264

You don't need these dummy methods, just #define PAM_SM_SESSION before including the PAM headers.

des requested changes to this revision.Feb 21 2024, 8:29 PM
This revision now requires changes to proceed.Feb 21 2024, 8:29 PM
manu updated this revision to Diff 134825.Feb 22 2024, 5:47 AM

Address some of des@ comments.

Harbormaster completed remote builds in B56166: Diff 134825.Feb 22 2024, 5:47 AM
manu marked 7 inline comments as done.Feb 22 2024, 5:47 AM
manu added inline comments.
lib/libpam/modules/pam_xdg/pam_xdg.8
40

.Pa where ?

lib/libpam/modules/pam_xdg/pam_xdg.c
74

Space where ?

193

Space where ?

manu updated this revision to Diff 134838.Feb 22 2024, 10:46 AM

Add a few comments and close a few fd

Harbormaster completed remote builds in B56168: Diff 134838.Feb 22 2024, 10:47 AM
des added inline comments.Feb 22 2024, 5:14 PM
lib/libpam/modules/pam_xdg/pam_xdg.8
42
lib/libpam/modules/pam_xdg/pam_xdg.c
72
196
manu updated this revision to Diff 134848.Feb 22 2024, 5:52 PM

Address latest des@ comments.

Harbormaster completed remote builds in B56171: Diff 134848.Feb 22 2024, 5:52 PM
des added inline comments.Feb 22 2024, 6:08 PM
lib/libpam/modules/pam_xdg/pam_xdg.c
62
63
127
137
139
186
187
223
230
249
251
des added a comment.Feb 22 2024, 6:13 PM

I also just noticed that you never check if asprintf() failed.

lib/libpam/modules/pam_xdg/pam_xdg.c
104

Should we remove the directory we just created if fchownat() fails?

196

This is never used, maybe either drop it or use it to confirm that the directory belongs to the correct user before attempting to remove it?

manu marked 8 inline comments as done.Feb 22 2024, 6:14 PM
manu added inline comments.
lib/libpam/modules/pam_xdg/pam_xdg.c
127

openat return the fd, and it will not be zero.

manu marked an inline comment as done.Feb 22 2024, 6:15 PM
manu added inline comments.
lib/libpam/modules/pam_xdg/pam_xdg.c
62

Why ?

pauamma_gundo.com added a subscriber: pauamma_gundo.com.Feb 23 2024, 1:39 AM
pauamma_gundo.com added inline comments.
lib/libpam/modules/pam_xdg/pam_xdg.8
39
agh_riseup.net added a subscriber: agh_riseup.net.Feb 23 2024, 1:53 AM
manu updated this revision to Diff 134874.Feb 23 2024, 6:30 AM

setup -> sets up

Harbormaster completed remote builds in B56184: Diff 134874.Feb 23 2024, 6:30 AM
manu marked 3 inline comments as done.Feb 23 2024, 6:30 AM
des added inline comments.Feb 23 2024, 11:46 AM
lib/libpam/modules/pam_xdg/pam_xdg.c
62

Because 0 is a valid file descriptor.

127

It can be zero if stdin somehow gets closed, we've had CVEs in the past for things like this.

manu updated this revision to Diff 134881.Feb 23 2024, 12:06 PM

Address des@ comments.

Harbormaster completed remote builds in B56185: Diff 134881.Feb 23 2024, 12:06 PM
manu marked 11 inline comments as done.Feb 23 2024, 12:06 PM
des added inline comments.Feb 23 2024, 4:37 PM
lib/libpam/modules/pam_xdg/pam_xdg.c
196

This is never used, maybe either drop it or use it to confirm that the directory belongs to the correct user before attempting to remove it?

you haven't addressed this

des added a comment.Feb 23 2024, 4:40 PM

I'm not sure the logic in _pam_xdg_close() is correct. You seem to always close the last session, right? So if I initiate session A and then initiate session B and then log out of session A it will remove the user directory that was created for, and is potentially being used by, session B, which is still active, while leaving the user directory that was used by session A and is now unused in place.

manu added a comment.Feb 23 2024, 6:24 PM
In D44011#1004814, @des wrote:

I'm not sure the logic in _pam_xdg_close() is correct. You seem to always close the last session, right? So if I initiate session A and then initiate session B and then log out of session A it will remove the user directory that was created for, and is potentially being used by, session B, which is still active, while leaving the user directory that was used by session A and is now unused in place.

No because the sessions aren't tied to a real session, this is just a count.
So :

  • user login -> xdg_session.0 is created
  • user login again -> xdg_session.1 is created
  • 1st session close -> xdg_session.1 is deleted
  • 2nd session close -> xdg_session.0 is delete and the user session directory.
lib/libpam/modules/pam_xdg/pam_xdg.c
196

Phab is so bad that I have no idea to which line this comment correspond.

manu updated this revision to Diff 134914.Feb 24 2024, 6:43 AM

Check already existing directory for ownership and mode.

Harbormaster completed remote builds in B56201: Diff 134914.Feb 24 2024, 6:44 AM
manu updated this revision to Diff 134915.Feb 24 2024, 7:00 AM

also check directory ownership and mode at close

Harbormaster completed remote builds in B56202: Diff 134915.Feb 24 2024, 7:00 AM
manu marked an inline comment as done.Feb 24 2024, 7:00 AM
manu updated this revision to Diff 134916.Feb 24 2024, 7:01 AM

style(9)

Harbormaster completed remote builds in B56203: Diff 134916.Feb 24 2024, 7:01 AM
des added inline comments.Feb 24 2024, 12:24 PM
lib/libpam/modules/pam_xdg/pam_xdg.c
113

fstatat() could fail (consider for instance a race between two sessions for the same user closing at the exact same time because their network connection got dropped)

pauamma_gundo.com accepted this revision.Feb 25 2024, 12:17 AM

Manual page LGTM.

manu updated this revision to Diff 134985.Feb 25 2024, 6:21 PM

check fstatat return value

Harbormaster completed remote builds in B56234: Diff 134985.Feb 25 2024, 6:21 PM
manu updated this revision to Diff 134986.Feb 25 2024, 6:23 PM

check other fstatat

Harbormaster completed remote builds in B56235: Diff 134986.Feb 25 2024, 6:23 PM
manu marked an inline comment as done.Feb 25 2024, 6:23 PM
des accepted this revision.Feb 26 2024, 5:15 PM
This revision is now accepted and ready to land.Feb 26 2024, 5:15 PM
Closed by commit rG6e69612d5df1: pam: Add pam_xdg module (authored by manu). · Explain WhyFeb 26 2024, 5:36 PM
This revision was automatically updated to reflect the committed changes.
manu added a commit: rG6e69612d5df1: pam: Add pam_xdg module.
jbeich added a subscriber: jbeich.Feb 28 2024, 3:17 PM

Is the module name clash with sysutils/pam_xdg intentional? It creates a POLA violation on upgrade: /var/run/user/<uid> moves to /var/run/xdg/<uname>.

arrowd added a subscriber: arrowd.Feb 28 2024, 4:43 PM

Sorry for being late to the party, but what's the point in

  1. Rewriting it, since we have sysutils/pam_xdg?
  2. Having it in base instead of port?
manu added a comment.Feb 28 2024, 6:15 PM
In D44011#1006994, @jbeich wrote:

Is the module name clash with sysutils/pam_xdg intentional? It creates a POLA violation on upgrade: /var/run/user/<uid> moves to /var/run/xdg/<uname>.

It's not really POLA on the directory as it's solved by a reboot, one cannot say the same thing about modules argument.

manu added a comment.Feb 28 2024, 6:17 PM
In D44011#1007029, @arrowd wrote:

Sorry for being late to the party, but what's the point in

  1. Rewriting it, since we have sysutils/pam_xdg?
  2. Having it in base instead of port?

Because I believe that any user should be able to install FreeBSD, pkg install sway drm-kmod, kldload <kmod> and start sway without having anything else to do.
On the rewrite while it's true that we could have import it to base, I find the code really hard to read with all the defines and wanted something simpler.

arrowd added a comment.Feb 28 2024, 8:17 PM

pkg install sway drm-kmod

At this point, the drm-kmod package could pull in the pam_xdg package. Until we move to pkgbase, the base updates are slow. An user usually have to wait for a new release to get the updated piece of base.

I find the code really hard to read with all the defines and wanted something simpler.

Maybe it could've been solved upstream.

Anyways, it is already committed, so let's see how it works out.

manu added a commit: rG155779894faa: pam: Add pam_xdg module.Apr 11 2024, 1:25 PM

Revision Contents
Changeset List

PathSize
lib/
libpam/
modules/
1 line
pam_xdg/
6 lines
56 lines
311 lines

Diff 135018

View Options

lib/libpam/modules/modules.inc

Loading...
View Options

lib/libpam/modules/pam_xdg/Makefile

Loading...
View Options

lib/libpam/modules/pam_xdg/pam_xdg.8

Loading...
View Options

lib/libpam/modules/pam_xdg/pam_xdg.c

Loading...