Merge branch 'main' into wallentx/lightdm-failsafe-handler

canonical · Jan 24, 2024 · 9cf9914 · 9cf9914
2 parents f3fbf19 + de36065
commit 9cf9914
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 16 deletions.
diff --git a/configure.ac b/configure.ac
@@ -48,7 +48,7 @@ AC_CHECK_HEADERS(security/pam_appl.h, [], AC_MSG_ERROR(PAM not found))
 
 AC_CHECK_HEADERS(gcrypt.h, [], AC_MSG_ERROR(libgcrypt not found))
 
-AC_CHECK_FUNCS(setresgid setresuid clearenv __getgroups_chk)
+AC_CHECK_FUNCS(setresgid setresuid setusercontext clearenv __getgroups_chk)
 
 PKG_CHECK_MODULES(LIGHTDM, [
     glib-2.0 >= 2.44

diff --git a/debian/lightdm.service b/debian/lightdm.service
@@ -2,11 +2,12 @@
 Description=Light Display Manager
 Documentation=man:lightdm(1)
 Conflicts[email protected] plymouth-quit.service
-After=systemd-user-sessions.service [email protected] plymouth-quit.service
+After=systemd-user-sessions.service [email protected] plymouth-quit.service systemd-hostnamed.service
 StartLimitIntervalSec=60s
 StartLimitBurst=5
 OnFailure=lightdm-failure-handler.service
 
+
 [Service]
 # temporary safety check until all DMs are converted to correct
 # display-manager.service symlink handling

diff --git a/src/session-child.c b/src/session-child.c
@@ -16,6 +16,9 @@
 #include <utmp.h>
 #include <utmpx.h>
 #include <sys/mman.h>
+#if HAVE_SETUSERCONTEXT
+#include <login_cap.h>
+#endif
 
 #if HAVE_LIBAUDIT
 #include <libaudit.h>
@@ -637,6 +640,29 @@ session_child_run (int argc, char **argv)
         if (setsid () < 0)
             _exit (errno);
 
+#if HAVE_SETUSERCONTEXT
+        /* Setup user context
+        * Reset the current environment to what is in the PAM context,
+        * then setusercontext will add to it as necessary as there is no
+        * option for setusercontext to add to a PAM context.
+        */
+        extern char **environ;
+        environ = pam_getenvlist (pam_handle);
+        struct passwd* pwd = getpwnam (username);
+        if (pwd) {
+            if (setusercontext (NULL, pwd, pwd->pw_uid, LOGIN_SETALL) < 0) {
+                int _errno = errno;
+                fprintf(stderr, "setusercontext for \"%s\" (%d) failed: %s\n",
+                    username, user_get_uid (user), strerror (errno));
+                _exit (_errno);
+            }
+            endpwent();
+        } else {
+            fprintf (stderr, "getpwname for \"%s\" failed: %s\n",
+                username, strerror (errno));
+            _exit (ENOENT);
+        }
+#else
         /* Change to this user */
         if (getuid () == 0)
         {
@@ -646,7 +672,7 @@ session_child_run (int argc, char **argv)
             if (setuid (uid) != 0)
                 _exit (errno);
         }
-
+#endif
         /* Change working directory */
         /* NOTE: This must be done after the permissions are changed because NFS filesystems can
          * be setup so the local root user accesses the NFS files as 'nobody'.  If the home directories
@@ -668,7 +694,13 @@ session_child_run (int argc, char **argv)
         signal (SIGPIPE, SIG_DFL);
 
         /* Run the command */
-        execve (command_argv[0], command_argv, pam_getenvlist (pam_handle));
+        execve (command_argv[0], command_argv,
+#if HAVE_SETUSERCONTEXT
+            environ
+#else
+            pam_getenvlist (pam_handle)
+#endif
+        );
         _exit (EXIT_FAILURE);
     }
 

diff --git a/src/vnc-server.c b/src/vnc-server.c
@@ -126,18 +126,10 @@ vnc_server_start (VNCServer *server)
 
     g_return_val_if_fail (server != NULL, FALSE);
 
-    g_autoptr(GError) ipv4_error = NULL;
-    priv->socket = open_tcp_socket (G_SOCKET_FAMILY_IPV4, priv->port, priv->listen_address, &ipv4_error);
-    if (ipv4_error)
-        g_warning ("Failed to create IPv4 VNC socket: %s", ipv4_error->message);
-
-    if (priv->socket)
-    {
-        GSource *source = g_socket_create_source (priv->socket, G_IO_IN, NULL);
-        g_source_set_callback (source, (GSourceFunc) read_cb, server, NULL);
-        g_source_attach (source, NULL);
-    }
-
+    // Bind to IPv6 first, as this implies binding to 0.0.0.0 in the
+    // Linux kernel default configuration, which would otherwise cause
+    // IPv6 clients to fail with "Error binding to address [::]:5900:
+    // Address already in use" (#266).
     g_autoptr(GError) ipv6_error = NULL;
     priv->socket6 = open_tcp_socket (G_SOCKET_FAMILY_IPV6, priv->port, priv->listen_address, &ipv6_error);
     if (ipv6_error)
@@ -150,6 +142,18 @@ vnc_server_start (VNCServer *server)
         g_source_attach (source, NULL);
     }
 
+    g_autoptr(GError) ipv4_error = NULL;
+    priv->socket = open_tcp_socket (G_SOCKET_FAMILY_IPV4, priv->port, priv->listen_address, &ipv4_error);
+    if (ipv4_error)
+        g_warning ("Failed to create IPv4 VNC socket: %s", ipv4_error->message);
+
+    if (priv->socket)
+    {
+        GSource *source = g_socket_create_source (priv->socket, G_IO_IN, NULL);
+        g_source_set_callback (source, (GSourceFunc) read_cb, server, NULL);
+        g_source_attach (source, NULL);
+    }
+
     if (!priv->socket && !priv->socket6)
         return FALSE;
 

diff --git a/src/wayland-session.c b/src/wayland-session.c
@@ -65,6 +65,10 @@ wayland_session_connect_session (DisplayServer *display_server, Session *session
     {
         g_autofree gchar *value = g_strdup_printf ("%d", priv->vt);
         session_set_env (session, "XDG_VTNR", value);
+
+        g_autofree gchar *tty_text = NULL;
+        tty_text = g_strdup_printf("/dev/tty/%d",priv->vt);
+        session_set_tty(session,tty_text);
     }
 }