The (currently very crude) script only runs once on each login and logout and does the following:
On login:
- Possibly create a /run/session/${USER} directory.
- Possibly start the user supervision tree (from S6/s6-rc or OpenRC, or
anything but itself).
- If it does not exist, create a file named after the login type (e.g. sshd) at /run/session/${USER}/${LOGIN_TYPE}.
- Write a line (any content, but just one line) to /run/session/${USER}/${LOGIN_TYPE}.
- If the line count in /run/session/${USER}/${LOGIN_TYPE} is 1, start the bundle corresponding to ${LOGIN_TYPE} e.g. sshd.
- Otherwise, do not do anything.
On logout:
- Delete 1 line from /run/session/${USER}/${LOGIN_TYPE}.
- If all files in sum have 0 lines, stop all user services.
- Otherwise, do not do anything.
The script can be easily adapted to e.g. stop only the corresponding
"${LOGIN_TYPE} bundle" once /run/session/${USER}/${LOGIN_TYPE} reaches 0
lines.
It is supposed to be executed by "pam_exec.so".It currently expects a s6-rc user-tree to be running as well as /run/session/${USER} to exist, but it can be easily adapted to prepare both by itself.
Part of the initial idea I got from Jan Braun, here: https://skarnet.org/lists/supervision/3132.html.
Here is the (seriously, very crude) script:
#!/bin/execlineb
multisubstitute
{
importas -Si PAM_SERVICE
importas -Si PAM_USER
importas -Si PAM_TYPE
define SESSIONDIR /run/session
}
define XDG_RUNTIME_DIR /run/user/${PAM_USER}
s6-setuidgid ${PAM_USER}
case ${PAM_TYPE}
{
open_session
{
foreground { redirfd -a 1
${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} echo "" }
backtick -ED 0 COUNTER { grep -c ^
${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} }
ifelse { test ${COUNTER} -eq 1 }
{
s6-rc -l ${XDG_RUNTIME_DIR}/s6-rc start ${PAM_SERVICE}
}
exit
}
close_session
{
foreground { sed -i $d ${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} }
elglob SESSIONS ${SESSIONDIR}/${PAM_USER}/*
backtick -ED 0 COUNTER { pipeline { cat ${SESSIONS} } grep -c ^ }
foreground { redirfd -w 1 /home/Nanderty/g6log echo ${COUNTER} }
ifelse { test ${COUNTER} -eq 0 }
{
s6-rc -l ${XDG_RUNTIME_DIR}/s6-rc stop alllogins
}
exit
}
}
I currently see the following things this approach allows, that
Turnstile does not:
- Differentiation between different login methods- Autostart of user services at boot time, no matter the login state (not directly enabled by the script, but possible, since the user service tree is up whatsoever).
(Check these mails for reasons to have the two possibilities mentioned above:
https://skarnet.org/lists/supervision/3130.html, https://skarnet.org/lists/supervision/3114.html, https://skarnet.org/lists/supervision/3121.html).
- Not having an additional daemon running.- Exposing the session information through the filesystem, so that every (privileged enough) process that needs to can make use of it.
Of course, Turnstile has a lot of other useful features this does not have. What do you all think about this approach?What handling of stopping the user-service bundles do you think is best, stopping all on last logout, vs. stopping "all in the sshd bundle" on last "sshd logout", ... ?
Any other alternatives? Paul
OpenPGP_0x71C7C85A2EA30F62.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
