Add support for changing the home directory in PAM modules

PAM modules such as pam_mklocaluser may change or even create the home directory. Currently, LightDM assumes that the home directory will not change when opening the PAM session, the user's home directory is obtained via getpwent() after authentication but before opening the session. Fix this by trying to update the user's home directory from the HOME environment variable from PAM after opening the session. Furthermore, if the Xauthority file is not stored in a system directory, the daemon hardcodes its path to the user's home directory and passes it as an absolute path to the session child. Fix this by passing it as a relative path so that the actual path can be constructed after the PAM session has been opened and the home directory has potentially been updated.
canonical · Sep 21, 2023 · a100b78 · a100b78
1 parent 1ade713
commit a100b78
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/src/session-child.c b/src/session-child.c
@@ -599,9 +599,20 @@ session_child_run (int argc, char **argv)
         }
     }
 
+    /* try to get HOME from PAM since it might have been changed */
+    const gchar *home_directory = pam_getenv (pam_handle, "HOME");
+    if (!home_directory) {
+        home_directory = user_get_home_directory (user);
+    }
+
     /* Write X authority */
     if (x_authority)
     {
+        if (!g_path_is_absolute (x_authority_filename)) {
+            gchar *x_authority_filename_new = g_build_filename (home_directory, x_authority_filename, NULL);
+            g_free (x_authority_filename);
+            x_authority_filename = x_authority_filename_new;
+        }
         gboolean drop_privileges = geteuid () == 0;
         if (drop_privileges)
             privileges_drop (user_get_uid (user), user_get_gid (user));
@@ -629,7 +640,6 @@ session_child_run (int argc, char **argv)
     /* Run the command as the authenticated user */
     uid_t uid = user_get_uid (user);
     gid_t gid = user_get_gid (user);
-    const gchar *home_directory = user_get_home_directory (user);
     child_pid = fork ();
     if (child_pid == 0)
     {
@@ -651,8 +661,10 @@ session_child_run (int argc, char **argv)
         /* NOTE: This must be done after the permissions are changed because NFS filesystems can
          * be setup so the local root user accesses the NFS files as 'nobody'.  If the home directories
          * are not system readable then the chdir can fail */
-        if (chdir (home_directory) != 0)
+        if (chdir (home_directory) != 0) {
+            g_printerr ("chdir: %s\n", strerror (errno));
             _exit (errno);
+        }
 
         if (log_filename)
         {

diff --git a/src/session.c b/src/session.c
@@ -812,7 +812,7 @@ session_real_run (Session *session)
         x_authority_filename = g_build_filename (dir, "xauthority", NULL);
     }
     else
-        x_authority_filename = g_build_filename (user_get_home_directory (session_get_user (session)), ".Xauthority", NULL);
+        x_authority_filename = g_strdup (".Xauthority");
 
     /* Make sure shared user directory for this user exists */
     if (!priv->remote_host_name)