:: Re: [DNG] libpam-xdg-support / libp…
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Isaac Dunham
日付:  
To: tilt!
CC: dng
題目: Re: [DNG] libpam-xdg-support / libpam-systemd
On Fri, Sep 11, 2015 at 11:23:38AM +0200, tilt! wrote:
> Unadressed remains the lifecycle of $XDG_RUNTIME_DIR, specifically:
>
> * When is $XDG_RUNTIME_PREFIX created?
>
> If $XDG_RUNTIME_PREFIX hosts every user's runtime directory,
> it may not be created with ownership of the user, so to do
> this alone:
>
>      # as user:

>
>      mkdir -p -m 700 "$XDG_RUNTIME_DIR" # wrong!

>
> is the wrong approach, the prefix has to be created owned by
> root, readable by all, and subdirectories have to be created
> owned by user, read/writeable for user only.
>
>      # as root:

>
>      mkdir -p -m 755 "$XDG_RUNTIME_PREFIX"

>
> Currently my best guess is that this should be performed
> at system startup.


Yes.

> * When is $XDG_RUNTIME_DIR created?
>
> If the prefix is created like described above, it requires
> root permissions to create the per-user directory:
>
>     # as root:

>
>     # let $uid be the user ID of the affected user;
>     # let $xdg:runtime_dir be the requested runtime directory:

>
>     if ! test -d "$xdg_runtime_dir" ; then
>        mkdir -p -m 700 "$xdg_runtime_dir"
>        chown $uid:$(id -g $uid) "$xdg_runtime_dir"
>     fi

>
> Currently my best guess is that this should be performed
> everytime the user starts an X session (it's an X thing
> after all, right), but Xsession.d is executed as the
> user, not root. Changing into the user ID is a thing of
> the display manager, there's no general way to hook in.
> Remains PAM. Probably.


PAM would probably work well.

If I were implementing it (note: I'm the sort of guy who doesn't use
PAM, or logind, or policykit...), I'd use a setuid helper that will
construct a path based on a fixed prefix, the user ID, and optionally
a six-character random string (ie, the "-n" option appends _XXXXXX and
calls mktemp).
It will then create this directory, change the owner and permissions,
and print it to stdout, so that you could do:
XDG_RUNTIME_DIR=`mkxdgrt -n`
if you want a new session.
This helper would be called from the login or X startup scripts.

Alternately, you could theoretically create a new mount namespace for
each user (at login, check if there are any processes with the target
uid, and if so join their namespace).
If you created a new namespace, mount some sort of RAM-backed filesystem
with a size limit at XDG_RUNTIME_DIR; its contents will go away with the
last user process.

> * When is $XDG_RUNTIME_DIR deleted?
>
> If the per-user runtime directory is created as i described
> above, user permissions suffice to delete it, so it was
> sufficent to
>
>     # as user:

>
>     rm -rf "$XDG_RUNTIME_DIR"

>
> Unfortunately i am in the dark over what it means that a
> user has "fully logged out". Does it mean that no processes
> run with the user's identity anymore? That the user has no
> X session running? That the user has no PAM session running?
> And, if any of these mean that the user has "fully logged
> out", how to hook into such an event and perform the code
> suggested above?


Officially, when the last process owned by the user exits.
(This is the main advantage of the mount-namespace based approach.)
In practice, *I* would be fine with "at shutdown, and make sure it's
gone at boot."

HTH,
Isaac Dunham