#include <stdlib.h>
#include <string.h>
#include <errno.h>
+#include <fcntl.h>
+#include <gcrypt.h>
#include "greeter.h"
-#include "ldm-marshal.h"
+#include "configuration.h"
+
+enum {
+ PROP_0,
+ PROP_ACTIVE_USERNAME,
+};
enum {
CONNECTED,
- START_AUTHENTICATION,
+ CREATE_SESSION,
START_SESSION,
LAST_SIGNAL
};
struct GreeterPrivate
{
- /* Session running on */
- Session *session;
+ /* PAM service to authenticate with */
+ gchar *pam_service;
+ gchar *autologin_pam_service;
/* Buffer for data read from greeter */
guint8 *read_buffer;
gsize n_read;
+ gboolean use_secure_memory;
/* Hints for the greeter */
GHashTable *hints;
/* Sequence number of current PAM session */
guint32 authentication_sequence_number;
+ /* Remote session name */
+ gchar *remote_session;
+
+ /* Currently selected user */
+ gchar *active_username;
+
/* PAM session being constructed by the greeter */
- PAMSession *authentication;
+ Session *authentication_session;
+
+ /* TRUE if a user has been authenticated and the session requested to start */
+ gboolean start_session;
/* TRUE if can log into guest accounts */
gboolean allow_guest;
/* Communication channels to communicate with */
GIOChannel *to_greeter_channel;
GIOChannel *from_greeter_channel;
+ guint from_greeter_watch;
};
-G_DEFINE_TYPE (Greeter, greeter, G_TYPE_OBJECT);
+G_DEFINE_TYPE (Greeter, greeter, SESSION_TYPE);
/* Messages from the greeter to the server */
typedef enum
GREETER_MESSAGE_CONTINUE_AUTHENTICATION,
GREETER_MESSAGE_START_SESSION,
GREETER_MESSAGE_CANCEL_AUTHENTICATION,
- GREETER_MESSAGE_SET_LANGUAGE
+ GREETER_MESSAGE_SET_LANGUAGE,
+ GREETER_MESSAGE_AUTHENTICATE_REMOTE
} GreeterMessage;
/* Messages from the server to the greeter */
SERVER_MESSAGE_SESSION_RESULT
} ServerMessage;
+static gboolean read_cb (GIOChannel *source, GIOCondition condition, gpointer data);
+
Greeter *
-greeter_new (Session *session)
+greeter_new (void)
{
- Greeter *greeter = g_object_new (GREETER_TYPE, NULL);
-
- greeter->priv->session = g_object_ref (session);
+ return g_object_new (GREETER_TYPE, NULL);
+}
- return greeter;
+void
+greeter_set_pam_services (Greeter *greeter, const gchar *pam_service, const gchar *autologin_pam_service)
+{
+ g_free (greeter->priv->pam_service);
+ greeter->priv->pam_service = g_strdup (pam_service);
+ g_free (greeter->priv->autologin_pam_service);
+ greeter->priv->autologin_pam_service = g_strdup (autologin_pam_service);
}
void
g_hash_table_insert (greeter->priv->hints, g_strdup (name), g_strdup (value));
}
+static void *
+secure_malloc (Greeter *greeter, size_t n)
+{
+ if (greeter->priv->use_secure_memory)
+ return gcry_malloc_secure (n);
+ else
+ return g_malloc (n);
+}
+
+static void *
+secure_realloc (Greeter *greeter, void *ptr, size_t n)
+{
+ if (greeter->priv->use_secure_memory)
+ return gcry_realloc (ptr, n);
+ else
+ return g_realloc (ptr, n);
+}
+
+static void
+secure_free (Greeter *greeter, void *ptr)
+{
+ if (greeter->priv->use_secure_memory)
+ return gcry_free (ptr);
+ else
+ return g_free (ptr);
+}
+
static guint32
-int_length ()
+int_length (void)
{
return 4;
}
static void
write_message (Greeter *greeter, guint8 *message, gsize message_length)
{
- GIOStatus status;
GError *error = NULL;
- status = g_io_channel_write_chars (greeter->priv->to_greeter_channel, (gchar *) message, message_length, NULL, &error);
+ g_io_channel_write_chars (greeter->priv->to_greeter_channel, (gchar *) message, message_length, NULL, &error);
if (error)
- g_warning ("Error writing to greeter: %s", error->message);
+ l_warning (greeter, "Error writing to greeter: %s", error->message);
g_clear_error (&error);
- if (status == G_IO_STATUS_NORMAL)
- g_debug ("Wrote %zi bytes to greeter", message_length);
g_io_channel_flush (greeter->priv->to_greeter_channel, NULL);
}
GHashTableIter iter;
gpointer key, value;
- g_debug ("Greeter connected version=%s", version);
+ l_debug (greeter, "Greeter connected version=%s", version);
length = string_length (VERSION);
g_hash_table_iter_init (&iter, greeter->priv->hints);
}
static void
-pam_messages_cb (PAMSession *authentication, int num_msg, const struct pam_message **msg, Greeter *greeter)
+pam_messages_cb (Session *session, Greeter *greeter)
{
int i;
guint32 size;
guint8 message[MAX_MESSAGE_LENGTH];
+ const struct pam_message *messages;
+ int messages_length;
gsize offset = 0;
int n_prompts = 0;
+ messages = session_get_messages (session);
+ messages_length = session_get_messages_length (session);
+
/* Respond to d-bus query with messages */
- g_debug ("Prompt greeter with %d message(s)", num_msg);
- size = int_length () + string_length (pam_session_get_username (authentication)) + int_length ();
- for (i = 0; i < num_msg; i++)
- size += int_length () + string_length (msg[i]->msg);
+ l_debug (greeter, "Prompt greeter with %d message(s)", messages_length);
+ size = int_length () + string_length (session_get_username (session)) + int_length ();
+ for (i = 0; i < messages_length; i++)
+ size += int_length () + string_length (messages[i].msg);
write_header (message, MAX_MESSAGE_LENGTH, SERVER_MESSAGE_PROMPT_AUTHENTICATION, size, &offset);
write_int (message, MAX_MESSAGE_LENGTH, greeter->priv->authentication_sequence_number, &offset);
- write_string (message, MAX_MESSAGE_LENGTH, pam_session_get_username (authentication), &offset);
- write_int (message, MAX_MESSAGE_LENGTH, num_msg, &offset);
- for (i = 0; i < num_msg; i++)
+ write_string (message, MAX_MESSAGE_LENGTH, session_get_username (session), &offset);
+ write_int (message, MAX_MESSAGE_LENGTH, messages_length, &offset);
+ for (i = 0; i < messages_length; i++)
{
- write_int (message, MAX_MESSAGE_LENGTH, msg[i]->msg_style, &offset);
- write_string (message, MAX_MESSAGE_LENGTH, msg[i]->msg, &offset);
+ write_int (message, MAX_MESSAGE_LENGTH, messages[i].msg_style, &offset);
+ write_string (message, MAX_MESSAGE_LENGTH, messages[i].msg, &offset);
- if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF || msg[i]->msg_style == PAM_PROMPT_ECHO_ON)
+ if (messages[i].msg_style == PAM_PROMPT_ECHO_OFF || messages[i].msg_style == PAM_PROMPT_ECHO_ON)
n_prompts++;
}
write_message (greeter, message, offset);
if (n_prompts == 0)
{
struct pam_response *response;
- response = calloc (num_msg, sizeof (struct pam_response));
- pam_session_respond (greeter->priv->authentication, response);
+ response = calloc (messages_length, sizeof (struct pam_response));
+ session_respond (greeter->priv->authentication_session, response);
+ free (response);
}
}
}
static void
-authentication_result_cb (PAMSession *authentication, int result, Greeter *greeter)
+authentication_complete_cb (Session *session, Greeter *greeter)
{
- g_debug ("Authenticate result for user %s: %s", pam_session_get_username (authentication), pam_session_strerror (authentication, result));
+ int result;
+
+ l_debug (greeter, "Authenticate result for user %s: %s", session_get_username (session), session_get_authentication_result_string (session));
- if (result == PAM_SUCCESS)
- g_debug ("User %s authorized", pam_session_get_username (authentication));
+ result = session_get_authentication_result (session);
+ if (session_get_is_authenticated (session))
+ {
+ if (session_get_user (session))
+ l_debug (greeter, "User %s authorized", session_get_username (session));
+ else
+ {
+ l_debug (greeter, "User %s authorized, but no account of that name exists", session_get_username (session));
+ result = PAM_USER_UNKNOWN;
+ }
+ }
- send_end_authentication (greeter, greeter->priv->authentication_sequence_number, pam_session_get_username (authentication), result);
+ send_end_authentication (greeter, greeter->priv->authentication_sequence_number, session_get_username (session), result);
}
static void
reset_session (Greeter *greeter)
{
- if (greeter->priv->authentication)
+ g_free (greeter->priv->remote_session);
+ greeter->priv->remote_session = NULL;
+ if (greeter->priv->authentication_session)
{
- g_signal_handlers_disconnect_matched (greeter->priv->authentication, G_SIGNAL_MATCH_DATA, 0, 0, NULL, NULL, greeter);
- pam_session_cancel (greeter->priv->authentication);
- g_object_unref (greeter->priv->authentication);
- greeter->priv->authentication = NULL;
+ g_signal_handlers_disconnect_matched (greeter->priv->authentication_session, G_SIGNAL_MATCH_DATA, 0, 0, NULL, NULL, greeter);
+ session_stop (greeter->priv->authentication_session);
+ g_object_unref (greeter->priv->authentication_session);
+ greeter->priv->authentication_session = NULL;
}
greeter->priv->guest_account_authenticated = FALSE;
static void
handle_login (Greeter *greeter, guint32 sequence_number, const gchar *username)
{
- gboolean result;
- GError *error = NULL;
+ const gchar *autologin_username, *service;
+ gboolean is_interactive;
if (username[0] == '\0')
{
- g_debug ("Greeter start authentication");
+ l_debug (greeter, "Greeter start authentication");
username = NULL;
}
else
- g_debug ("Greeter start authentication for %s", username);
+ l_debug (greeter, "Greeter start authentication for %s", username);
reset_session (greeter);
+ if (greeter->priv->active_username)
+ g_free (greeter->priv->active_username);
+ greeter->priv->active_username = g_strdup (username);
+ g_object_notify (G_OBJECT (greeter), "active-username");
+
greeter->priv->authentication_sequence_number = sequence_number;
- g_signal_emit (greeter, signals[START_AUTHENTICATION], 0, username, &greeter->priv->authentication);
- if (!greeter->priv->authentication)
+ g_signal_emit (greeter, signals[CREATE_SESSION], 0, &greeter->priv->authentication_session);
+ if (!greeter->priv->authentication_session)
{
send_end_authentication (greeter, sequence_number, "", PAM_USER_UNKNOWN);
return;
}
- g_signal_connect (G_OBJECT (greeter->priv->authentication), "got-messages", G_CALLBACK (pam_messages_cb), greeter);
- g_signal_connect (G_OBJECT (greeter->priv->authentication), "authentication-result", G_CALLBACK (authentication_result_cb), greeter);
+ g_signal_connect (G_OBJECT (greeter->priv->authentication_session), "got-messages", G_CALLBACK (pam_messages_cb), greeter);
+ g_signal_connect (G_OBJECT (greeter->priv->authentication_session), "authentication-complete", G_CALLBACK (authentication_complete_cb), greeter);
- pam_session_set_item (greeter->priv->authentication, PAM_TTY,
- session_get_env (greeter->priv->session, "DISPLAY"));
+ /* Use non-interactive service for autologin user */
+ autologin_username = g_hash_table_lookup (greeter->priv->hints, "autologin-user");
+ if (autologin_username != NULL && g_strcmp0 (username, autologin_username) == 0)
+ {
+ service = greeter->priv->autologin_pam_service;
+ is_interactive = FALSE;
+ }
+ else
+ {
+ service = greeter->priv->pam_service;
+ is_interactive = TRUE;
+ }
- result = pam_session_authenticate (greeter->priv->authentication, &error);
- if (error)
- g_debug ("Failed to start authentication: %s", error->message);
- if (!result)
- send_end_authentication (greeter, sequence_number, "", PAM_SYSTEM_ERR);
- g_clear_error (&error);
+ /* Run the session process */
+ session_set_pam_service (greeter->priv->authentication_session, service);
+ session_set_username (greeter->priv->authentication_session, username);
+ session_set_do_authenticate (greeter->priv->authentication_session, TRUE);
+ session_set_is_interactive (greeter->priv->authentication_session, is_interactive);
+ session_start (greeter->priv->authentication_session);
}
static void
handle_login_as_guest (Greeter *greeter, guint32 sequence_number)
{
- g_debug ("Greeter start authentication for guest account");
+ l_debug (greeter, "Greeter start authentication for guest account");
reset_session (greeter);
if (!greeter->priv->allow_guest)
{
- g_debug ("Guest account is disabled");
+ l_debug (greeter, "Guest account is disabled");
send_end_authentication (greeter, sequence_number, "", PAM_USER_UNKNOWN);
return;
}
send_end_authentication (greeter, sequence_number, "", PAM_SUCCESS);
}
+static gchar *
+get_remote_session_service (const gchar *session_name)
+{
+ GKeyFile *session_desktop_file;
+ gboolean result;
+ const gchar *c;
+ gchar *remote_sessions_dir, *filename, *path, *service = NULL;
+ GError *error = NULL;
+
+ /* Validate session name doesn't contain directory separators */
+ for (c = session_name; *c; c++)
+ {
+ if (*c == '/')
+ return NULL;
+ }
+
+ /* Load the session file */
+ session_desktop_file = g_key_file_new ();
+ filename = g_strdup_printf ("%s.desktop", session_name);
+ remote_sessions_dir = config_get_string (config_get_instance (), "LightDM", "remote-sessions-directory");
+ path = g_build_filename (remote_sessions_dir, filename, NULL);
+ g_free (remote_sessions_dir);
+ g_free (filename);
+ result = g_key_file_load_from_file (session_desktop_file, path, G_KEY_FILE_NONE, &error);
+ if (error)
+ g_debug ("Failed to load session file %s: %s", path, error->message);
+ g_free (path);
+ g_clear_error (&error);
+ if (result)
+ service = g_key_file_get_string (session_desktop_file, G_KEY_FILE_DESKTOP_GROUP, "X-LightDM-PAM-Service", NULL);
+ g_key_file_free (session_desktop_file);
+
+ return service;
+}
+
+static void
+handle_login_remote (Greeter *greeter, const gchar *session_name, const gchar *username, guint32 sequence_number)
+{
+ gchar *service;
+
+ if (username[0] == '\0')
+ {
+ l_debug (greeter, "Greeter start authentication for remote session %s", session_name);
+ username = NULL;
+ }
+ else
+ l_debug (greeter, "Greeter start authentication for remote session %s as user %s", session_name, username);
+
+ reset_session (greeter);
+
+ service = get_remote_session_service (session_name);
+ if (!service)
+ {
+ send_end_authentication (greeter, sequence_number, "", PAM_SYSTEM_ERR);
+ return;
+ }
+
+ greeter->priv->authentication_sequence_number = sequence_number;
+ greeter->priv->remote_session = g_strdup (session_name);
+ g_signal_emit (greeter, signals[CREATE_SESSION], 0, &greeter->priv->authentication_session);
+ if (greeter->priv->authentication_session)
+ {
+ g_signal_connect (G_OBJECT (greeter->priv->authentication_session), "got-messages", G_CALLBACK (pam_messages_cb), greeter);
+ g_signal_connect (G_OBJECT (greeter->priv->authentication_session), "authentication-complete", G_CALLBACK (authentication_complete_cb), greeter);
+
+ /* Run the session process */
+ session_set_pam_service (greeter->priv->authentication_session, service);
+ session_set_username (greeter->priv->authentication_session, username);
+ session_set_do_authenticate (greeter->priv->authentication_session, TRUE);
+ session_set_is_interactive (greeter->priv->authentication_session, TRUE);
+ session_set_is_guest (greeter->priv->authentication_session, TRUE);
+ session_start (greeter->priv->authentication_session);
+ }
+
+ g_free (service);
+
+ if (!greeter->priv->authentication_session)
+ {
+ send_end_authentication (greeter, sequence_number, "", PAM_USER_UNKNOWN);
+ return;
+ }
+}
+
static void
handle_continue_authentication (Greeter *greeter, gchar **secrets)
{
- int num_messages;
- const struct pam_message **messages;
+ int messages_length;
+ const struct pam_message *messages;
struct pam_response *response;
int i, j, n_prompts = 0;
/* Not in authentication */
- if (greeter->priv->authentication == NULL)
+ if (greeter->priv->authentication_session == NULL)
return;
- num_messages = pam_session_get_num_messages (greeter->priv->authentication);
- messages = pam_session_get_messages (greeter->priv->authentication);
+ messages_length = session_get_messages_length (greeter->priv->authentication_session);
+ messages = session_get_messages (greeter->priv->authentication_session);
/* Check correct number of responses */
- for (i = 0; i < num_messages; i++)
+ for (i = 0; i < messages_length; i++)
{
- int msg_style = messages[i]->msg_style;
+ int msg_style = messages[i].msg_style;
if (msg_style == PAM_PROMPT_ECHO_OFF || msg_style == PAM_PROMPT_ECHO_ON)
n_prompts++;
}
if (g_strv_length (secrets) != n_prompts)
{
- pam_session_cancel (greeter->priv->authentication);
+ session_respond_error (greeter->priv->authentication_session, PAM_CONV_ERR);
return;
}
- g_debug ("Continue authentication");
+ l_debug (greeter, "Continue authentication");
/* Build response */
- response = calloc (num_messages, sizeof (struct pam_response));
- for (i = 0, j = 0; i < num_messages; i++)
+ response = calloc (messages_length, sizeof (struct pam_response));
+ for (i = 0, j = 0; i < messages_length; i++)
{
- int msg_style = messages[i]->msg_style;
+ int msg_style = messages[i].msg_style;
if (msg_style == PAM_PROMPT_ECHO_OFF || msg_style == PAM_PROMPT_ECHO_ON)
{
- response[i].resp = strdup (secrets[j]); // FIXME: Need to convert from UTF-8
+ size_t secret_length = strlen (secrets[j]) + 1;
+ response[i].resp = secure_malloc (greeter, secret_length);
+ memcpy (response[i].resp, secrets[j], secret_length); // FIXME: Need to convert from UTF-8
j++;
}
}
- pam_session_respond (greeter->priv->authentication, response);
+ session_respond (greeter->priv->authentication_session, response);
+
+ for (i = 0; i < messages_length; i++)
+ secure_free (greeter, response[i].resp);
+ free (response);
}
static void
handle_cancel_authentication (Greeter *greeter)
{
/* Not in authentication */
- if (greeter->priv->authentication == NULL)
+ if (greeter->priv->authentication_session == NULL)
return;
- g_debug ("Cancel authentication");
-
- pam_session_cancel (greeter->priv->authentication);
+ l_debug (greeter, "Cancel authentication");
+ reset_session (greeter);
}
static void
handle_start_session (Greeter *greeter, const gchar *session)
{
gboolean result;
+ guint8 message[MAX_MESSAGE_LENGTH];
+ gsize offset = 0;
+ SessionType session_type = SESSION_TYPE_LOCAL;
if (strcmp (session, "") == 0)
session = NULL;
- if (greeter->priv->guest_account_authenticated || pam_session_get_is_authenticated (greeter->priv->authentication))
+ /* Use session type chosen in remote session */
+ if (greeter->priv->remote_session)
+ {
+ session_type = SESSION_TYPE_REMOTE;
+ session = greeter->priv->remote_session;
+ }
+
+ if (greeter->priv->guest_account_authenticated || session_get_is_authenticated (greeter->priv->authentication_session))
{
if (session)
- g_debug ("Greeter requests session %s", session);
+ l_debug (greeter, "Greeter requests session %s", session);
else
- g_debug ("Greeter requests default session");
- g_signal_emit (greeter, signals[START_SESSION], 0, session, &result);
+ l_debug (greeter, "Greeter requests default session");
+ greeter->priv->start_session = TRUE;
+ g_signal_emit (greeter, signals[START_SESSION], 0, session_type, session, &result);
}
else
{
- g_debug ("Ignoring start session request, user is not authorized");
+ l_debug (greeter, "Ignoring start session request, user is not authorized");
result = FALSE;
}
- if (!result)
- {
- guint8 message[MAX_MESSAGE_LENGTH];
- gsize offset = 0;
-
- write_header (message, MAX_MESSAGE_LENGTH, SERVER_MESSAGE_SESSION_RESULT, int_length (), &offset);
- write_int (message, MAX_MESSAGE_LENGTH, 1, &offset);
- write_message (greeter, message, offset);
- }
+ write_header (message, MAX_MESSAGE_LENGTH, SERVER_MESSAGE_SESSION_RESULT, int_length (), &offset);
+ write_int (message, MAX_MESSAGE_LENGTH, result ? 0 : 1, &offset);
+ write_message (greeter, message, offset);
}
static void
{
User *user;
- if (!greeter->priv->guest_account_authenticated && !pam_session_get_is_authenticated (greeter->priv->authentication))
+ if (!greeter->priv->guest_account_authenticated && !session_get_is_authenticated (greeter->priv->authentication_session))
{
- g_debug ("Ignoring set language request, user is not authorized");
+ l_debug (greeter, "Ignoring set language request, user is not authorized");
return;
}
// FIXME: Could use this
if (greeter->priv->guest_account_authenticated)
{
- g_debug ("Ignoring set language request for guest user");
+ l_debug (greeter, "Ignoring set language request for guest user");
return;
}
- g_debug ("Greeter sets language %s", language);
- user = pam_session_get_user (greeter->priv->authentication);
+ l_debug (greeter, "Greeter sets language %s", language);
+ user = session_get_user (greeter->priv->authentication_session);
user_set_language (user, language);
}
guint8 *buffer;
if (greeter->priv->n_read - *offset < sizeof (guint32))
{
- g_warning ("Not enough space for int, need %zu, got %zu", sizeof (guint32), greeter->priv->n_read - *offset);
+ l_warning (greeter, "Not enough space for int, need %zu, got %zu", sizeof (guint32), greeter->priv->n_read - *offset);
return 0;
}
buffer = greeter->priv->read_buffer + *offset;
return value;
}
+static int
+get_message_length (Greeter *greeter)
+{
+ gsize offset;
+ int payload_length;
+
+ offset = int_length ();
+ payload_length = read_int (greeter, &offset);
+
+ if (HEADER_SIZE + payload_length < HEADER_SIZE)
+ {
+ l_warning (greeter, "Payload length of %u octets too long", payload_length);
+ return HEADER_SIZE;
+ }
+
+ return HEADER_SIZE + payload_length;
+}
+
static gchar *
-read_string (Greeter *greeter, gsize *offset)
+read_string_full (Greeter *greeter, gsize *offset, void* (*alloc_fn)(size_t n))
{
guint32 length;
gchar *value;
length = read_int (greeter, offset);
if (greeter->priv->n_read - *offset < length)
{
- g_warning ("Not enough space for string, need %u, got %zu", length, greeter->priv->n_read - *offset);
+ l_warning (greeter, "Not enough space for string, need %u, got %zu", length, greeter->priv->n_read - *offset);
return g_strdup ("");
}
- value = g_malloc (sizeof (gchar *) * (length + 1));
+ value = (*alloc_fn) (sizeof (gchar *) * (length + 1));
memcpy (value, greeter->priv->read_buffer + *offset, length);
value[length] = '\0';
*offset += length;
return value;
}
+static gchar *
+read_string (Greeter *greeter, gsize *offset)
+{
+ return read_string_full (greeter, offset, g_malloc);
+}
+
+static gchar *
+read_secret (Greeter *greeter, gsize *offset)
+{
+ if (greeter->priv->use_secure_memory)
+ return read_string_full (greeter, offset, gcry_malloc_secure);
+ else
+ return read_string_full (greeter, offset, g_malloc);
+}
+
static gboolean
read_cb (GIOChannel *source, GIOCondition condition, gpointer data)
{
Greeter *greeter = data;
gsize n_to_read, n_read, offset;
GIOStatus status;
- int id, n_secrets, i;
- guint32 sequence_number;
+ int id, i;
+ guint32 sequence_number, n_secrets, max_secrets;
gchar *version, *username, *session_name, *language;
gchar **secrets;
GError *error = NULL;
if (condition == G_IO_HUP)
{
- g_debug ("Greeter closed communication channel");
+ l_debug (greeter, "Greeter closed communication channel");
return FALSE;
}
n_to_read = HEADER_SIZE;
if (greeter->priv->n_read >= HEADER_SIZE)
{
- offset = int_length ();
- n_to_read += read_int (greeter, &offset);
+ n_to_read = get_message_length (greeter);
+ if (n_to_read <= HEADER_SIZE)
+ return FALSE;
}
status = g_io_channel_read_chars (greeter->priv->from_greeter_channel,
&n_read,
&error);
if (error)
- g_warning ("Error reading from greeter: %s", error->message);
+ l_warning (greeter, "Error reading from greeter: %s", error->message);
g_clear_error (&error);
if (status != G_IO_STATUS_NORMAL)
return TRUE;
- g_debug ("Read %zi bytes from greeter", n_read);
- /*for (i = 0; i < n_read; i++)
- g_print ("%02X ", greeter->priv->read_buffer[greeter->priv->n_read+i]);
- g_print ("\n");*/
-
greeter->priv->n_read += n_read;
if (greeter->priv->n_read != n_to_read)
return TRUE;
/* If have header, rerun for content */
if (greeter->priv->n_read == HEADER_SIZE)
{
- gsize offset = int_length ();
- n_to_read = read_int (greeter, &offset);
- if (n_to_read > 0)
+ n_to_read = get_message_length (greeter);
+ if (n_to_read > HEADER_SIZE)
{
- greeter->priv->read_buffer = g_realloc (greeter->priv->read_buffer, HEADER_SIZE + n_to_read);
+ greeter->priv->read_buffer = secure_realloc (greeter, greeter->priv->read_buffer, n_to_read);
read_cb (source, condition, greeter);
return TRUE;
- }
+ }
}
offset = 0;
sequence_number = read_int (greeter, &offset);
handle_login_as_guest (greeter, sequence_number);
break;
+ case GREETER_MESSAGE_AUTHENTICATE_REMOTE:
+ sequence_number = read_int (greeter, &offset);
+ session_name = read_string (greeter, &offset);
+ username = read_string (greeter, &offset);
+ handle_login_remote (greeter, session_name, username, sequence_number);
+ break;
case GREETER_MESSAGE_CONTINUE_AUTHENTICATION:
n_secrets = read_int (greeter, &offset);
+ max_secrets = (G_MAXUINT32 - 1) / sizeof (gchar *);
+ if (n_secrets > max_secrets)
+ {
+ l_warning (greeter, "Array length of %u elements too long", n_secrets);
+ return FALSE;
+ }
secrets = g_malloc (sizeof (gchar *) * (n_secrets + 1));
for (i = 0; i < n_secrets; i++)
- secrets[i] = read_string (greeter, &offset);
+ secrets[i] = read_secret (greeter, &offset);
secrets[i] = NULL;
handle_continue_authentication (greeter, secrets);
- g_strfreev (secrets);
+ for (i = 0; i < n_secrets; i++)
+ secure_free (greeter, secrets[i]);
+ g_free (secrets);
break;
case GREETER_MESSAGE_CANCEL_AUTHENTICATION:
handle_cancel_authentication (greeter);
g_free (language);
break;
default:
- g_warning ("Unknown message from greeter: %d", id);
+ l_warning (greeter, "Unknown message from greeter: %d", id);
break;
}
}
gboolean
-greeter_start (Greeter *greeter)
+greeter_get_guest_authenticated (Greeter *greeter)
+{
+ g_return_val_if_fail (greeter != NULL, FALSE);
+ return greeter->priv->guest_account_authenticated;
+}
+
+Session *
+greeter_get_authentication_session (Greeter *greeter)
{
+ g_return_val_if_fail (greeter != NULL, NULL);
+ return greeter->priv->authentication_session;
+}
+
+gboolean
+greeter_get_start_session (Greeter *greeter)
+{
+ g_return_val_if_fail (greeter != NULL, FALSE);
+ return greeter->priv->start_session;
+}
+
+const gchar *
+greeter_get_active_username (Greeter *greeter)
+{
+ g_return_val_if_fail (greeter != NULL, NULL);
+ return greeter->priv->active_username;
+}
+
+static gboolean
+greeter_start (Session *session)
+{
+ Greeter *greeter = GREETER (session);
int to_greeter_pipe[2], from_greeter_pipe[2];
- gint fd;
+ gboolean result = FALSE;
gchar *value;
- if (pipe (to_greeter_pipe) != 0 ||
- pipe (from_greeter_pipe) != 0)
+ /* Create a pipe to talk with the greeter */
+ if (pipe (to_greeter_pipe) != 0 || pipe (from_greeter_pipe) != 0)
{
- g_warning ("Failed to create pipes: %s", strerror (errno));
+ g_warning ("Failed to create pipes: %s", strerror (errno));
return FALSE;
}
-
greeter->priv->to_greeter_channel = g_io_channel_unix_new (to_greeter_pipe[1]);
g_io_channel_set_encoding (greeter->priv->to_greeter_channel, NULL, NULL);
greeter->priv->from_greeter_channel = g_io_channel_unix_new (from_greeter_pipe[0]);
g_io_channel_set_encoding (greeter->priv->from_greeter_channel, NULL, NULL);
g_io_channel_set_buffered (greeter->priv->from_greeter_channel, FALSE);
- g_io_add_watch (greeter->priv->from_greeter_channel, G_IO_IN | G_IO_HUP, read_cb, greeter);
+ greeter->priv->from_greeter_watch = g_io_add_watch (greeter->priv->from_greeter_channel, G_IO_IN | G_IO_HUP, read_cb, greeter);
- fd = from_greeter_pipe[1];
- value = g_strdup_printf ("%d", fd);
- session_set_env (greeter->priv->session, "LIGHTDM_TO_SERVER_FD", value);
+ /* Let the greeter session know how to communicate with the daemon */
+ value = g_strdup_printf ("%d", from_greeter_pipe[1]);
+ session_set_env (SESSION (greeter), "LIGHTDM_TO_SERVER_FD", value);
g_free (value);
-
- fd = to_greeter_pipe[0];
- value = g_strdup_printf ("%d", fd);
- session_set_env (greeter->priv->session, "LIGHTDM_FROM_SERVER_FD", value);
+ value = g_strdup_printf ("%d", to_greeter_pipe[0]);
+ session_set_env (SESSION (greeter), "LIGHTDM_FROM_SERVER_FD", value);
g_free (value);
- return TRUE;
-}
+ /* Don't allow the daemon end of the pipes to be accessed in child processes */
+ fcntl (to_greeter_pipe[1], F_SETFD, FD_CLOEXEC);
+ fcntl (from_greeter_pipe[0], F_SETFD, FD_CLOEXEC);
-gboolean
-greeter_get_guest_authenticated (Greeter *greeter)
-{
- g_return_val_if_fail (greeter != NULL, FALSE);
- return greeter->priv->guest_account_authenticated;
-}
+ result = SESSION_CLASS (greeter_parent_class)->start (session);
-PAMSession *
-greeter_get_authentication (Greeter *greeter)
-{
- g_return_val_if_fail (greeter != NULL, NULL);
- return greeter->priv->authentication;
-}
+ /* Close the session ends of the pipe */
+ close (to_greeter_pipe[0]);
+ close (from_greeter_pipe[1]);
-void
-greeter_quit (Greeter *greeter)
-{
- guint8 message[MAX_MESSAGE_LENGTH];
- gsize offset = 0;
-
- g_return_if_fail (greeter != NULL);
-
- write_header (message, MAX_MESSAGE_LENGTH, SERVER_MESSAGE_SESSION_RESULT, int_length (), &offset);
- write_int (message, MAX_MESSAGE_LENGTH, 0, &offset);
- write_message (greeter, message, offset);
+ return result;
}
-static PAMSession *
-greeter_real_start_authentication (Greeter *greeter, const gchar *username)
+static Session *
+greeter_real_create_session (Greeter *greeter)
{
return NULL;
}
static gboolean
-greeter_real_start_session (Greeter *greeter, const gchar *session, gboolean is_guest)
+greeter_real_start_session (Greeter *greeter, SessionType type, const gchar *session)
{
return FALSE;
}
+static void
+greeter_stop (Session *session)
+{
+ Greeter *greeter = GREETER (session);
+
+ /* Stop any events occurring after we've stopped */
+ if (greeter->priv->authentication_session)
+ g_signal_handlers_disconnect_matched (greeter->priv->authentication_session, G_SIGNAL_MATCH_DATA, 0, 0, NULL, NULL, greeter);
+
+ SESSION_CLASS (greeter_parent_class)->stop (session);
+}
+
static void
greeter_init (Greeter *greeter)
{
greeter->priv = G_TYPE_INSTANCE_GET_PRIVATE (greeter, GREETER_TYPE, GreeterPrivate);
- greeter->priv->read_buffer = g_malloc (HEADER_SIZE);
+ greeter->priv->read_buffer = secure_malloc (greeter, HEADER_SIZE);
greeter->priv->hints = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, g_free);
+ greeter->priv->use_secure_memory = config_get_boolean (config_get_instance (), "LightDM", "lock-memory");
}
static void
self = GREETER (object);
- g_object_unref (self->priv->session);
- g_free (self->priv->read_buffer);
+ g_free (self->priv->pam_service);
+ g_free (self->priv->autologin_pam_service);
+ secure_free (self, self->priv->read_buffer);
g_hash_table_unref (self->priv->hints);
- if (self->priv->authentication)
+ g_free (self->priv->remote_session);
+ g_free (self->priv->active_username);
+ if (self->priv->authentication_session)
{
- g_signal_handlers_disconnect_matched (self->priv->authentication, G_SIGNAL_MATCH_DATA, 0, 0, NULL, NULL, self);
- pam_session_cancel (self->priv->authentication);
- g_object_unref (self->priv->authentication);
+ g_signal_handlers_disconnect_matched (self->priv->authentication_session, G_SIGNAL_MATCH_DATA, 0, 0, NULL, NULL, self);
+ g_object_unref (self->priv->authentication_session);
}
if (self->priv->to_greeter_channel)
g_io_channel_unref (self->priv->to_greeter_channel);
if (self->priv->from_greeter_channel)
g_io_channel_unref (self->priv->from_greeter_channel);
+ if (self->priv->from_greeter_watch)
+ g_source_remove (self->priv->from_greeter_watch);
G_OBJECT_CLASS (greeter_parent_class)->finalize (object);
}
+static void
+greeter_set_property (GObject *object,
+ guint prop_id,
+ const GValue *value,
+ GParamSpec *pspec)
+{
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+}
+
+static void
+greeter_get_property (GObject *object,
+ guint prop_id,
+ GValue *value,
+ GParamSpec *pspec)
+{
+ Greeter *greeter = GREETER (object);
+
+ switch (prop_id) {
+ case PROP_ACTIVE_USERNAME:
+ g_value_set_string (value, greeter_get_active_username (greeter));
+ break;
+ default:
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ break;
+ }
+}
+
static void
greeter_class_init (GreeterClass *klass)
{
+ SessionClass *session_class = SESSION_CLASS (klass);
GObjectClass *object_class = G_OBJECT_CLASS (klass);
- klass->start_authentication = greeter_real_start_authentication;
+ klass->create_session = greeter_real_create_session;
klass->start_session = greeter_real_start_session;
+ session_class->start = greeter_start;
+ session_class->stop = greeter_stop;
object_class->finalize = greeter_finalize;
+ object_class->get_property = greeter_get_property;
+ object_class->set_property = greeter_set_property;
signals[CONNECTED] =
g_signal_new ("connected",
G_SIGNAL_RUN_LAST,
G_STRUCT_OFFSET (GreeterClass, connected),
NULL, NULL,
- g_cclosure_marshal_VOID__VOID,
+ NULL,
G_TYPE_NONE, 0);
- signals[START_AUTHENTICATION] =
- g_signal_new ("start-authentication",
+ signals[CREATE_SESSION] =
+ g_signal_new ("create-session",
G_TYPE_FROM_CLASS (klass),
G_SIGNAL_RUN_LAST,
- G_STRUCT_OFFSET (GreeterClass, start_authentication),
+ G_STRUCT_OFFSET (GreeterClass, create_session),
g_signal_accumulator_first_wins,
NULL,
- ldm_marshal_OBJECT__STRING,
- PAM_SESSION_TYPE, 1, G_TYPE_STRING);
+ NULL,
+ SESSION_TYPE, 0);
signals[START_SESSION] =
g_signal_new ("start-session",
G_STRUCT_OFFSET (GreeterClass, start_session),
g_signal_accumulator_true_handled,
NULL,
- ldm_marshal_BOOLEAN__STRING,
- G_TYPE_BOOLEAN, 1, G_TYPE_STRING);
+ NULL,
+ G_TYPE_BOOLEAN, 2, G_TYPE_INT, G_TYPE_STRING);
+
+ g_object_class_install_property (object_class,
+ PROP_ACTIVE_USERNAME,
+ g_param_spec_string ("active-username",
+ "active-username",
+ "Active username",
+ NULL,
+ G_PARAM_READABLE));
g_type_class_add_private (klass, sizeof (GreeterPrivate));
}
projects / sojka / lightdm.git / blobdiff