--- gdm-2.30.5/daemon/gdm-session-direct.h-orig 2010-12-14 16:30:05.151474458 -0600 +++ gdm-2.30.5/daemon/gdm-session-direct.h 2010-12-14 16:30:23.435105431 -0600 @@ -56,6 +56,7 @@ GdmSessionDirect * gdm_session_direct_ne gboolean display_is_local) G_GNUC_MALLOC; char * gdm_session_direct_get_username (GdmSessionDirect *session_direct); +char * gdm_session_direct_get_display_device (GdmSessionDirect *session_direct); gboolean gdm_session_direct_bypasses_xsession (GdmSessionDirect *session_direct); /* Exported methods */ --- gdm-2.30.5/daemon/gdm-session-direct.c-orig 2010-12-14 16:30:38.260779634 -0600 +++ gdm-2.30.5/daemon/gdm-session-direct.c 2010-12-14 16:31:21.867683353 -0600 @@ -2356,6 +2356,14 @@ gdm_session_direct_get_username (GdmSess return g_strdup (session->priv->selected_user); } +char * +gdm_session_direct_get_display_device (GdmSessionDirect *session) +{ + g_return_val_if_fail (session != NULL, NULL); + + return g_strdup (session->priv->display_device); +} + gboolean gdm_session_direct_bypasses_xsession (GdmSessionDirect *session_direct) { --- gdm-2.30.5/daemon/gdm-session-worker.c-orig 2010-12-14 16:25:50.465800749 -0600 +++ gdm-2.30.5/daemon/gdm-session-worker.c 2010-12-14 16:54:55.325518602 -0600 @@ -32,10 +32,6 @@ #include #include -#ifdef HAVE_LOGINDEVPERM -#include -#endif /* HAVE_LOGINDEVPERM */ - #if __sun #include #define GDM_PAM_QUAL @@ -1369,22 +1365,6 @@ gdm_session_worker_uninitialize_pam (Gdm } pam_close_session (worker->priv->pam_handle, 0); gdm_session_auditor_report_logout (worker->priv->auditor); - -#ifdef HAVE_LOGINDEVPERM - /* - * Only do logindevperm processing if /dev/console or - * a device associated with a VT - */ - if (worker->priv->display_device != NULL && - (strncmp (worker->priv->display_device, "/dev/vt/", strlen ("/dev/vt/")) == 0 || - strcmp (worker->priv->display_device, "/dev/console") == 0)) { - g_debug ("Logindevperm logout for user %s, device %s", - worker->priv->username, - worker->priv->display_device); - (void) di_devperm_logout (worker->priv->display_device); - } -#endif /* HAVE_LOGINDEVPERM */ - } else { const void *p; @@ -2351,23 +2331,6 @@ gdm_session_worker_start_user_session (G passwd_entry, worker->priv->x11_display_name); #endif -#ifdef HAVE_LOGINDEVPERM - /* - * Only do logindevperm processing if /dev/console or - * a device associated with a VT - */ - if (worker->priv->display_device != NULL && - (strncmp (worker->priv->display_device, "/dev/vt/", strlen ("/dev/vt/")) == 0 || - strcmp (worker->priv->display_device, "/dev/console") == 0)) { - g_debug ("Logindevperm login for user %s, device %s", - worker->priv->username, - worker->priv->display_device); - (void) di_devperm_login (worker->priv->display_device, - passwd_entry->pw_uid, - passwd_entry->pw_gid, - NULL); - } -#endif /* HAVE_LOGINDEVPERM */ g_debug ("GdmSessionWorker: opening user session with program '%s'", worker->priv->arguments[0]); --- gdm-2.30.5/daemon/gdm-simple-slave.c-orig 2010-12-14 16:26:33.660074096 -0600 +++ gdm-2.30.5/daemon/gdm-simple-slave.c 2010-12-14 18:30:00.334570340 -0600 @@ -31,6 +31,10 @@ #include #include +#ifdef HAVE_LOGINDEVPERM +#include +#endif /* HAVE_LOGINDEVPERM */ + #include #include #include @@ -86,6 +90,9 @@ struct GdmSimpleSlavePrivate guint start_session_when_ready : 1; guint waiting_to_start_session : 1; +#ifdef HAVE_LOGINDEVPERM + gboolean use_logindevperm; +#endif }; enum { @@ -125,6 +132,76 @@ on_session_started (GdmSession *se */ } +#ifdef HAVE_LOGINDEVPERM +static void +gdm_simple_slave_grant_console_permissions (GdmSimpleSlave *slave) +{ + char *username; + char *display_device; + struct passwd *passwd_entry; + + username = gdm_session_direct_get_username (slave->priv->session); + display_device = gdm_session_direct_get_display_device (slave->priv->session); + + if (username != NULL) { + gdm_get_pwent_for_name (username, &passwd_entry); + + /* + * Only do logindevperm processing if /dev/console or + * a device associated with a VT + */ + if (display_device != NULL && + (strncmp (display_device, "/dev/vt/", strlen ("/dev/vt/")) == 0 || + strcmp (display_device, "/dev/console") == 0)) { + g_debug ("Logindevperm login for user %s, device %s", + username, display_device); + (void) di_devperm_login (display_device, + passwd_entry->pw_uid, + passwd_entry->pw_gid, + NULL); + slave->priv->use_logindevperm = TRUE; + } + } + + if (!slave->priv->use_logindevperm) { + g_debug ("Not calling di_devperm_login login for user %s, device %s", + username, display_device); + } +} + +static void +gdm_simple_slave_revoke_console_permissions (GdmSimpleSlave *slave) +{ + char *username; + char *display_device; + + username = gdm_session_direct_get_username (slave->priv->session); + display_device = gdm_session_direct_get_display_device (slave->priv->session); + + /* + * Only do logindevperm processing if /dev/console or a device + * associated with a VT. Do this after processing the PostSession + * script so that permissions for devices are not returned to root + * before running the script. + */ + if (slave->priv->use_logindevperm == TRUE && + display_device != NULL && + (strncmp (display_device, "/dev/vt/", strlen ("/dev/vt/")) == 0 || + strcmp (display_device, "/dev/console") == 0)) { + g_debug ("di_devperm_logout for user %s, device %s", + username, display_device); + (void) di_devperm_logout (display_device); + slave->priv->use_logindevperm = FALSE; + } else { + g_debug ("Not calling di_devperm_logout logout for user %s, device %s", + username, display_device); + } + + g_free (username); + g_free (display_device); +} +#endif /* HAVE_LOGINDEVPERM */ + static void on_session_exited (GdmSession *session, int exit_code, @@ -471,6 +548,10 @@ static void on_session_opened (GdmSession *session, GdmSimpleSlave *slave) { +#ifdef HAVE_LOGINDEVPERM + gdm_simple_slave_grant_console_permissions (slave); +#endif /* HAVE_LOGINDEVPERM */ + queue_start_session (slave); } @@ -1302,6 +1383,10 @@ gdm_simple_slave_stop (GdmSlave *slave) } g_free (username); +#ifdef HAVE_LOGINDEVPERM + gdm_simple_slave_revoke_console_permissions (GDM_SIMPLE_SLAVE (slave)); +#endif + gdm_session_close (GDM_SESSION (GDM_SIMPLE_SLAVE (slave)->priv->session)); g_object_unref (GDM_SIMPLE_SLAVE (slave)->priv->session); GDM_SIMPLE_SLAVE (slave)->priv->session = NULL; @@ -1379,6 +1464,9 @@ static void gdm_simple_slave_init (GdmSimpleSlave *slave) { slave->priv = GDM_SIMPLE_SLAVE_GET_PRIVATE (slave); +#ifdef HAVE_LOGINDEVPERM + slave->priv->use_logindevperm = FALSE; +#endif } static void