Light Display Manager

Run PAM code inside session process

Bug #881466 reported by Robert Ancell
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Medium
Unassigned
lightdm (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

Currently PAM code is run inside the main lightdm daemon process. This means that buggy PAM modules can crash lightdm (see bug 829221). We should change the architecture to run the PAM code inside the session processes before launching the user session.

Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in lightdm:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Wolfgang Bumiller (sp2-blub) wrote :

Related to this could also be the problem that capabilities gained via pam_cap.so are dropped when logging in via lightm.
I haven't yet filed a seperate bug for this, and I think it won't be necessary if this is going to fix it. I'll see when this is changed.

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

Robert,
Wry's comment called my attention to this bug, and I can't help thinking of a functionality aspect that I mentioned in an email message a few weeks ago; please see the SetLanguage_call.txt attachment.

From my POV things would better happen in this order:
1. Lock up home if encrypted (which I suspect is the same thing as launching the user session - or maybe it isn't?)
2. Call SetLanguage in the case of a language chooser
3. Run PAM

Revision history for this message
Damjan Georgievski (gdamjan) wrote :

Also related to this, the way lightdm does PAM is problematic with SystemD.

I'm starting lightdm as a service from SystemD but as soon as I login, my session is killed.

From auth.log I can see that I did successfully login, but the session is killed imidiatelly:
auth.log:Feb 23 23:43:04 localhost lightdm: pam_unix(lightdm:session): session closed for user lightdm
auth.log:Feb 23 23:43:04 localhost lightdm: pam_unix(lightdm:session): session opened for user damjan by (uid=0)
auth.log:Feb 23 23:43:04 localhost lightdm: pam_unix(lightdm:session): session closed for user damjan

also attached is lightdm.log

I've asked on the systemd irc channel, their suggestion is that "it opens the pam session before forking, which is wrong, since systemd-logind will think the greeter itself is the session's controlling process, so it will kill the session when the greeter exits ... pam_open_session should be called from the new process, not from the daemon"

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Fixed in 1.1.4

Changed in lightdm:
status: Triaged → Fix Committed
Changed in lightdm (Ubuntu Precise):
status: Triaged → Fix Committed
Robert Ancell (robert-ancell)
Changed in lightdm:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.1.4-0ubuntu1

---------------
lightdm (1.1.4-0ubuntu1) precise; urgency=low

  * New upstream release.
    - Change session directory once user permissions are set so it works
      on NFS filesystems that don't allow root to access files. (LP: #877766)
    - Restructure session code so the PAM authentication is run in its
      own process. (LP: #881466)
    - Set PAM_XDISPLAY and PAM_XAUTHDATA pam items (LP: #862559)
    - Don't send session stdout to .xsession-errors
    - Fix Qt bindings crash when removing a user
 -- Robert Ancell <email address hidden> Thu, 01 Mar 2012 20:54:07 +1100

Changed in lightdm (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.