Skip to content

Commit

Permalink
If systemd.runtime_max_sec is already set, don't extend it.
Browse files Browse the repository at this point in the history 
Multiple modules may want to set a session time limit (e.g., pam_time).  If
there is already a limit set and it's lower than the one we would set, leave
it alone.
  • Loading branch information
@vorlonofportland
vorlonofportland committed Apr 17, 2023
1 parent d61f9f1 commit 90fec17
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 13 deletions.
35 changes: 23 additions & 12 deletions pam_session_timelimit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
#include <string.h>
#include <syslog.h>
#include <sys/file.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <time.h>
#include <unistd.h>
Expand Down Expand Up @@ -512,11 +513,11 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *handle,
int argc, const char **argv)
{
const char *path = NULL, *statepath = NULL, *username = NULL;
char *runtime_max_sec = NULL;
char *current_limit = NULL, *runtime_max_sec = NULL;
char **user_table;
unsigned int i;
int retval;
usec_t timeval = 0, used_time = 0;
usec_t timeval = 0, old_timeval = 0, used_time = 0;

for (; argc-- > 0; ++argv) {
if (strncmp(*argv, "path=", strlen("path=")) == 0)
Expand Down Expand Up @@ -586,18 +587,28 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *handle,

timeval -= used_time;

runtime_max_sec = malloc(FORMAT_TIMESPAN_MAX);
if (!format_timespan(runtime_max_sec, FORMAT_TIMESPAN_MAX, timeval,
USEC_PER_SEC)) {
free((void *)runtime_max_sec);
return PAM_PERM_DENIED;
pam_get_data(handle, "systemd.runtime_max_sec",
(const void **)&current_limit);
if (current_limit) {
retval = parse_time(current_limit, &old_timeval, USEC_PER_SEC);
timeval = MIN(old_timeval, timeval);
}

retval = pam_set_data(handle, "systemd.runtime_max_sec",
(void *)runtime_max_sec, cleanup);
if (retval != PAM_SUCCESS) {
free((void *)runtime_max_sec);
retval = PAM_PERM_DENIED;
if (timeval != old_timeval) {
runtime_max_sec = malloc(FORMAT_TIMESPAN_MAX);
if (!format_timespan(runtime_max_sec, FORMAT_TIMESPAN_MAX,
timeval, USEC_PER_SEC))
{
free((void *)runtime_max_sec);
return PAM_PERM_DENIED;
}

retval = pam_set_data(handle, "systemd.runtime_max_sec",
(void *)runtime_max_sec, cleanup);
if (retval != PAM_SUCCESS) {
free((void *)runtime_max_sec);
retval = PAM_PERM_DENIED;
}
}

return retval;
Expand Down
2 changes: 1 addition & 1 deletion tests/tests.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,7 @@ static void close_session_updates_state() {
CU_ASSERT(*pamh.start_time >= time(NULL)-60);

CU_ASSERT_FATAL(close_session(&pamh, 0, 1, &arg) == PAM_SUCCESS);
CU_ASSERT(pamh.get_data_calls == 3);
CU_ASSERT(pamh.get_data_calls == 4);
CU_ASSERT(stat("data/state", &statbuf) == 0);
}

Expand Down

0 comments on commit 90fec17

Please sign in to comment.