test

.github/workflows/cla-check.yaml

@@ -2,6 +2,14 @@ name: cla-check
 on: [pull_request_target]
 
 jobs:
+  capture-payload:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Catch Payload
+        shell: bash
+        run: |
+          jq '.' "$GITHUB_EVENT_PATH"
+          env | sort
   cla-check:
     runs-on: ubuntu-latest
     steps:

debian/lightdm-failure-handler.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Handle LightDM failure
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mv /etc/issue /etc/issue.restore; /bin/sh -c 'echo -e "LightDM has failed to start. You are now in a TTY for troubleshooting...\nYou can log in and check for details in logs." > /etc/issue; /usr/bin/chvt 4'
+
+[Install]
+WantedBy=multi-user.target

debian/lightdm-success-handler.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Reset /etc/issue after LightDM starts successfully
+Requires=lightdm.service
+After=lightdm.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/sh -c 'test -f /etc/issue.restore && mv /etc/issue.restore /etc/issue || echo "File /etc/issue.restore not found. No restore action needed."'
+
+[Install]
+WantedBy=graphical.target

debian/lightdm.service

@@ -3,11 +3,16 @@ Description=Light Display Manager
 Documentation=man:lightdm(1)
 [email protected] plymouth-quit.service
 After=systemd-user-sessions.service [email protected] plymouth-quit.service systemd-hostnamed.service
+StartLimitIntervalSec=60s
+StartLimitBurst=5
+OnFailure=lightdm-failure-handler.service
+
 
 [Service]
 # temporary safety check until all DMs are converted to correct
 # display-manager.service symlink handling
 ExecStartPre=/bin/sh -c '[ "$(basename $(cat /etc/X11/default-display-manager 2>/dev/null))" = "lightdm" ]'
 ExecStart=/usr/sbin/lightdm
 Restart=always
+RestartSec=5s
 BusName=org.freedesktop.DisplayManager

src/lightdm.c

@@ -424,9 +424,11 @@ add_login1_seat (Login1Seat *login1_seat)
         set_seat_properties (seat, seat_name);
 
         gboolean can_multi_session = login1_seat_get_can_multi_session (login1_seat);
+        gboolean can_tty = login1_seat_get_can_tty (login1_seat);
         if (!can_multi_session)
             g_debug ("Seat %s has property CanMultiSession=no", seat_name);
         seat_set_supports_multi_session (seat, can_multi_session);
+        seat_set_can_tty (seat, can_tty);
 
         if (is_seat0)
             seat_set_property (seat, "exit-on-failure", "true");

src/login1.c

@@ -67,6 +67,9 @@ typedef struct
 
     /* TRUE if can do session switching */
     gboolean can_multi_session;
+
+    /* TRUE if seat has TTYs */
+    gboolean can_tty;
 } Login1SeatPrivate;
 
 G_DEFINE_TYPE_WITH_PRIVATE (Login1Service, login1_service, G_TYPE_OBJECT)
@@ -199,6 +202,8 @@ add_seat (Login1Service *service, const gchar *id, const gchar *path)
                 s_priv->can_graphical = g_variant_get_boolean (value);
             else if (strcmp (name, "CanMultiSession") == 0 && g_variant_is_of_type (value, G_VARIANT_TYPE_BOOLEAN))
                 s_priv->can_multi_session = g_variant_get_boolean (value);
+            else if (strcmp (name, "CanTTY") == 0 && g_variant_is_of_type (value, G_VARIANT_TYPE_BOOLEAN))
+                s_priv->can_tty = g_variant_get_boolean (value);
         }
     }
 
@@ -519,6 +524,14 @@ login1_seat_get_can_multi_session (Login1Seat *seat)
     return priv->can_multi_session;
 }
 
+gboolean
+login1_seat_get_can_tty (Login1Seat *seat)
+{
+    Login1SeatPrivate *priv = login1_seat_get_instance_private (seat);
+    g_return_val_if_fail (seat != NULL, FALSE);
+    return priv->can_tty;
+}
+
 static void
 login1_seat_init (Login1Seat *seat)
 {

src/login1.h

@@ -80,6 +80,8 @@ gboolean login1_seat_get_can_graphical (Login1Seat *seat);
 
 gboolean login1_seat_get_can_multi_session (Login1Seat *seat);
 
+gboolean login1_seat_get_can_tty (Login1Seat *seat);
+
 G_END_DECLS
 
 #endif /* _LOGIN1_H_ */

src/seat-local.c

@@ -120,7 +120,7 @@ display_server_transition_plymouth_cb (DisplayServer *display_server, Seat *seat
 static gint
 get_vt (SeatLocal *seat, DisplayServer *display_server)
 {
-    if (strcmp (seat_get_name (SEAT (seat)), "seat0") != 0)
+    if (strcmp (seat_get_name (SEAT (seat)), "seat0") != 0 || !seat_get_can_tty ( SEAT (seat)))
         return -1;
 
     /* If Plymouth is running, stop it */
@@ -270,7 +270,7 @@ seat_local_get_active_session (Seat *seat)
      * FIXME: Use seat_get_expected_active_session even for seat0, falling back
      * to VT probing if the systemd-logind service is unavailable.
      */
-    if (strcmp (seat_get_name (seat), "seat0") != 0)
+    if (strcmp (seat_get_name (seat), "seat0") != 0 || !seat_get_can_tty (seat))
         return seat_get_expected_active_session (seat);
 
     gint vt = vt_get_active ();

src/seat.c

@@ -39,6 +39,9 @@ typedef struct
     /* TRUE if this seat can run multiple sessions at once */
     gboolean supports_multi_session;
 
+    /* TRUE if this seat has TTYs */
+    gboolean can_tty;
+
     /* TRUE if display server can be shared for sessions */
     gboolean share_display_server;
 
@@ -207,6 +210,14 @@ seat_set_share_display_server (Seat *seat, gboolean share_display_server)
     priv->share_display_server = share_display_server;
 }
 
+void
+seat_set_can_tty (Seat *seat, gboolean can_tty)
+{
+    SeatPrivate *priv = seat_get_instance_private (seat);
+    g_return_if_fail (seat != NULL);
+    priv->can_tty = can_tty;
+}
+
 gboolean
 seat_start (Seat *seat)
 {
@@ -357,6 +368,14 @@ seat_get_can_switch (Seat *seat)
     return seat_get_boolean_property (seat, "allow-user-switching") && priv->supports_multi_session;
 }
 
+gboolean
+seat_get_can_tty (Seat *seat)
+{
+    SeatPrivate *priv = seat_get_instance_private (seat);
+    g_return_val_if_fail (seat != NULL, FALSE);
+    return priv->can_tty;
+}
+
 gboolean
 seat_get_allow_guest (Seat *seat)
 {
@@ -365,7 +384,7 @@ seat_get_allow_guest (Seat *seat)
 }
 
 static gboolean
-run_script (Seat *seat, DisplayServer *display_server, const gchar *script_name, User *user)
+run_script (Seat *seat, DisplayServer *display_server, const gchar *script_name, User *user, const gchar *home_directory)
 {
     g_autoptr(Process) script = process_new (NULL, NULL);
 
@@ -392,7 +411,7 @@ run_script (Seat *seat, DisplayServer *display_server, const gchar *script_name,
     {
         process_set_env (script, "USER", user_get_name (user));
         process_set_env (script, "LOGNAME", user_get_name (user));
-        process_set_env (script, "HOME", user_get_home_directory (user));
+        process_set_env (script, "HOME", home_directory ? home_directory : user_get_home_directory (user));
     }
     else
         process_set_env (script, "HOME", "/");
@@ -457,7 +476,7 @@ display_server_stopped_cb (DisplayServer *display_server, Seat *seat)
     /* Run a script right after stopping the display server */
     const gchar *script = seat_get_string_property (seat, "display-stopped-script");
     if (script)
-        run_script (seat, NULL, script, NULL);
+        run_script (seat, NULL, script, NULL, NULL);
 
     g_signal_handlers_disconnect_matched (display_server, G_SIGNAL_MATCH_DATA, 0, 0, NULL, NULL, seat);
     priv->display_servers = g_list_remove (priv->display_servers, display_server);
@@ -654,7 +673,7 @@ run_session (Seat *seat, Session *session)
         script = seat_get_string_property (seat, "greeter-setup-script");
     else
         script = seat_get_string_property (seat, "session-setup-script");
-    if (script && !run_script (seat, session_get_display_server (session), script, session_get_user (session)))
+    if (script && !run_script (seat, session_get_display_server (session), script, session_get_user (session), session_get_home_directory (session)))
     {
         l_debug (seat, "Switching to greeter due to failed setup script");
         switch_to_greeter_from_failed_session (seat, session);
@@ -778,7 +797,7 @@ session_stopped_cb (Session *session, Seat *seat)
     {
         const gchar *script = seat_get_string_property (seat, "session-cleanup-script");
         if (script)
-            run_script (seat, display_server, script, session_get_user (session));
+            run_script (seat, display_server, script, session_get_user (session), session_get_home_directory (session));
     }
 
     if (priv->stopping)
@@ -1324,7 +1343,7 @@ display_server_ready_cb (DisplayServer *display_server, Seat *seat)
 {
     /* Run setup script */
     const gchar *script = seat_get_string_property (seat, "display-setup-script");
-    if (script && !run_script (seat, display_server, script, NULL))
+    if (script && !run_script (seat, display_server, script, NULL, NULL))
     {
         l_debug (seat, "Stopping display server due to failed setup script");
         display_server_stop (display_server);

src/seat.h

@@ -83,6 +83,8 @@ void seat_set_supports_multi_session (Seat *seat, gboolean supports_multi_sessio
 
 void seat_set_share_display_server (Seat *seat, gboolean share_display_server);
 
+void seat_set_can_tty (Seat *seat, gboolean can_tty);
+
 gboolean seat_start (Seat *seat);
 
 GList *seat_get_sessions (Seat *seat);
@@ -101,6 +103,8 @@ Session *seat_find_session_by_login1_id (Seat *seat, const gchar *login1_session
 
 gboolean seat_get_can_switch (Seat *seat);
 
+gboolean seat_get_can_tty (Seat *seat);
+
 gboolean seat_get_allow_guest (Seat *seat);
 
 gboolean seat_get_greeter_allow_guest (Seat *seat);

src/session-child.c

@@ -541,6 +541,14 @@ session_child_run (int argc, char **argv)
         return EXIT_FAILURE;
     }
 
+    /* try to get HOME from PAM since it might have been changed */
+    const gchar *home_directory = pam_getenv (pam_handle, "HOME");
+    if (!home_directory) {
+        home_directory = user_get_home_directory (user);
+    }
+    if (version >= 4)
+        write_string (home_directory);
+
     /* Open a connection to the system bus for ConsoleKit - we must keep it open or CK will close the session */
     g_autoptr(GError) error = NULL;
     g_autoptr(GDBusConnection) bus = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error);
@@ -605,6 +613,11 @@ session_child_run (int argc, char **argv)
     /* Write X authority */
     if (x_authority)
     {
+        if (!g_path_is_absolute (x_authority_filename)) {
+            gchar *x_authority_filename_new = g_build_filename (home_directory, x_authority_filename, NULL);
+            g_free (x_authority_filename);
+            x_authority_filename = x_authority_filename_new;
+        }
         gboolean drop_privileges = geteuid () == 0;
         if (drop_privileges)
             privileges_drop (user_get_uid (user), user_get_gid (user));
@@ -632,7 +645,6 @@ session_child_run (int argc, char **argv)
     /* Run the command as the authenticated user */
     uid_t uid = user_get_uid (user);
     gid_t gid = user_get_gid (user);
-    const gchar *home_directory = user_get_home_directory (user);
     child_pid = fork ();
     if (child_pid == 0)
     {
@@ -677,8 +689,10 @@ session_child_run (int argc, char **argv)
         /* NOTE: This must be done after the permissions are changed because NFS filesystems can
          * be setup so the local root user accesses the NFS files as 'nobody'.  If the home directories
          * are not system readable then the chdir can fail */
-        if (chdir (home_directory) != 0)
+        if (chdir (home_directory) != 0) {
+            g_printerr ("chdir: %s\n", strerror (errno));
             _exit (errno);
+        }
 
         if (log_filename)
         {

src/session.c

@@ -59,6 +59,9 @@ typedef struct
     /* User to authenticate as */
     gchar *username;
 
+    /* Home directory of the authenticating user */
+    gchar *home_directory;
+
     /* TRUE if is a guest account */
     gboolean is_guest;
 
@@ -644,7 +647,7 @@ session_real_start (Session *session)
     close (from_child_input);
 
     /* Indicate what version of the protocol we are using */
-    int version = 3;
+    int version = 4;
     write_data (session, &version, sizeof (version));
 
     /* Send configuration */
@@ -671,6 +674,14 @@ session_get_username (Session *session)
     return priv->username;
 }
 
+const gchar *
+session_get_home_directory (Session *session)
+{
+    SessionPrivate *priv = session_get_instance_private (session);
+    g_return_val_if_fail (session != NULL, NULL);
+    return priv->home_directory;
+}
+
 const gchar *
 session_get_login1_session_id (Session *session)
 {
@@ -812,7 +823,7 @@ session_real_run (Session *session)
         x_authority_filename = g_build_filename (dir, "xauthority", NULL);
     }
     else
-        x_authority_filename = g_build_filename (user_get_home_directory (session_get_user (session)), ".Xauthority", NULL);
+        x_authority_filename = g_strdup (".Xauthority");
 
     /* Make sure shared user directory for this user exists */
     if (!priv->remote_host_name)
@@ -863,6 +874,14 @@ session_real_run (Session *session)
     for (gsize i = 0; i < argc; i++)
         write_string (session, priv->argv[i]);
 
+    /* Get the home directory of the user currently being authenticated (may change after opening PAM session) */
+    g_autofree gchar *home_directory = read_string_from_child (session);
+    if (g_strcmp0 (home_directory, priv->home_directory) != 0)
+    {
+        g_free (priv->home_directory);
+        priv->home_directory = g_steal_pointer (&home_directory);
+    }
+
     priv->login1_session_id = read_string_from_child (session);
     priv->console_kit_cookie = read_string_from_child (session);
 }
@@ -1005,6 +1024,7 @@ session_finalize (GObject *object)
     if (priv->child_watch)
         g_source_remove (priv->child_watch);
     g_clear_pointer (&priv->username, g_free);
+    g_clear_pointer (&priv->home_directory, g_free);
     g_clear_object (&priv->user);
     g_clear_pointer (&priv->pam_service, g_free);
     for (size_t i = 0; i < priv->messages_length; i++)

src/session.h

@@ -118,6 +118,8 @@ gboolean session_get_is_started (Session *session);
 
 const gchar *session_get_username (Session *session);
 
+const gchar *session_get_home_directory (Session *session);
+
 const gchar *session_get_login1_session_id (Session *session);
 
 const gchar *session_get_console_kit_cookie (Session *session);