Re: [systemd-devel] systemd pam and O_CLOEXEC problem
On Mon, 05.05.14 20:33, dedede gfgfgf trtrtrtrtrtr (s.kabano...@mail.ru) wrote: Hello. During my testing of systemd pam sessions i discovered that session processes are not deleted automatically when i specify KillUserProcesses=yes in latest versions of systemd. Investigations showed that since in pam_systemd.so we started to dup() fifo descriptor problem appeared. Dup does not set O_CLOEXEC flag. So after fork/exec all child processes have that descriptor and when parent which open pam session dies, child processes continue to run. Thanks for the pointer! Fixed in git! Thanks! Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd pam and O_CLOEXEC problem
Fri, 09 May 2014 11:07:45 + от Colin Walters walt...@verbum.org: On Mon, May 5, 2014 at 6:48 AM, dedede gfgfgf trtrtrtrtrtr s.kabano...@mail.ru wrote: Investigations showed that since in pam module we started to dup fifo descriptor problem appeared. Dup does not set O_CLOEXEC flag. So after fork/exec all children processes have that descriptor and when parent which open pam session dies, children processes continue to run. I think you should change your login program to close unnecessary FDs before executing children. Hello Colin. I am speaking about descriptors in systemd pam module. Application which use pam can not control it. Because of: session_fd = dup(session_fd); in pam-module.c we have now descriptor which does not have O_CLOEXEC set. So it will not be closed automatically during exec of children processes and because of this logind will not know that process which opened pam session exited. Sergei ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd pam and O_CLOEXEC problem
Hi On Mon, May 12, 2014 at 1:27 PM, dedede gfgfgf trtrtrtrtrtr s.kabano...@mail.ru wrote: Hello Colin. I am speaking about descriptors in systemd pam module. Application which use pam can not control it. Because of: session_fd = dup(session_fd); in pam-module.c we have now descriptor which does not have O_CLOEXEC set. So it will not be closed automatically during exec of children processes and because of this logind will not know that process which opened pam session exited. This behavior is intentional. This way we can track the main processes of the session and get notified when they died. You should be able to close the session by using pam_close_session(). Thanks David ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd pam and O_CLOEXEC problem
Mon, 12 May 2014 13:41:03 +0200 от David Herrmann dh.herrm...@gmail.com: Hi On Mon, May 12, 2014 at 1:27 PM, dedede gfgfgf trtrtrtrtrtr s.kabano...@mail.ru wrote: Hello Colin. I am speaking about descriptors in systemd pam module. Application which use pam can not control it. Because of: session_fd = dup(session_fd); in pam-module.c we have now descriptor which does not have O_CLOEXEC set. So it will not be closed automatically during exec of children processes and because of this logind will not know that process which opened pam session exited. This behavior is intentional. This way we can track the main processes of the session and get notified when they died. You should be able to close the session by using pam_close_session(). Thanks David Hello But all children will have that descriptor open. So when parent process will die logind will not be notified. -- Sergei Kabanov ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd pam and O_CLOEXEC problem
Hi On Mon, May 12, 2014 at 1:49 PM, Sergei Kabanov s.kabano...@mail.ru wrote: Hello But all children will have that descriptor open. So when parent process will die logind will not be notified. And? That's intentional. If you want to close the session if the main process dies, use something like /bin/login does: call pam_close_session() on SIGCHLD. Note that if we set O_CLOEXEC, then the exec() after the pam-dance will immediately close the FIFO, thus also close the session. So we cannot set O_CLOEXEC. So please call pam_close_session() to notify systemd about session-deaths, or use something like this: for i in /proc/self/fd/* ; do close($i); done to close all file-descriptors before you exec(). But this is really just a nasty hack. Thanks David ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd pam and O_CLOEXEC problem
On Mon, May 5, 2014 at 6:48 AM, dedede gfgfgf trtrtrtrtrtr s.kabano...@mail.ru wrote: Investigations showed that since in pam module we started to dup fifo descriptor problem appeared. Dup does not set O_CLOEXEC flag. So after fork/exec all children processes have that descriptor and when parent which open pam session dies, children processes continue to run. I think you should change your login program to close unnecessary FDs before executing children. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd pam and O_CLOEXEC problem
Hello. During my testing of systemd pam sessions i discovered that pam session is not closed automatically when i specify KillUserProcesses=yes in latest versions. Investigations showed that since in pam module we started to dup fifo descriptor problem appeared. Dup does not set O_CLOEXEC flag. So after fork/exec all children processes have that descriptor and when parent which open pam session dies, children processes continue to run. Sergei. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd pam and O_CLOEXEC problem
Hello. During my testing of systemd pam sessions i discovered that session processes are not deleted automatically when i specify KillUserProcesses=yes in latest versions of systemd. Investigations showed that since in pam_systemd.so we started to dup() fifo descriptor problem appeared. Dup does not set O_CLOEXEC flag. So after fork/exec all child processes have that descriptor and when parent which open pam session dies, child processes continue to run. Sergei.___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
