3af55c5cb3
Instead of calling 'su' to switch the user, use own implementation of this. Thanks to PAM it's pretty simple. The main reason is to have control over process waiting for session termination (to call pam_close_sesion/pam_end). Especially we don't want it to keep std* fds open, which would prevent qrexec-agent from receiving EOF when one of them will be closed. Also, this will preserve QREXEC_AGENT_PID environment variable. Fixes QubesOS/qubes-issues#2851
10 lines
271 B
Plaintext
10 lines
271 B
Plaintext
#%PAM-1.0
|
|
auth sufficient pam_rootok.so
|
|
auth substack system-auth
|
|
auth include postlogin
|
|
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
|
|
account include system-auth
|
|
password include system-auth
|
|
session include system-auth
|
|
session include postlogin
|