Since I was not 100% convinced by Turnstile, I made an attempt on a very
simple alternative way to handle user session tracking.
The (currently very crude) script only runs once on each login and
logout and does the following:
On login:
- Possibly create a /run/session/${USER} directory.
- Possibly start the user supervision tree (from S6/s6-rc or OpenRC, or
anything but itself).
- If it does not exist, create a file named after the login type (e.g.
sshd) at /run/session/${USER}/${LOGIN_TYPE}.
- Write a line (any content, but just one line) to
/run/session/${USER}/${LOGIN_TYPE}.
- If the line count in /run/session/${USER}/${LOGIN_TYPE} is 1, start
the bundle corresponding to ${LOGIN_TYPE} e.g. sshd.
- Otherwise, do not do anything.
On logout:
- Delete 1 line from /run/session/${USER}/${LOGIN_TYPE}.
- If all files in sum have 0 lines, stop all user services.
- Otherwise, do not do anything.
The script can be easily adapted to e.g. stop only the corresponding
"${LOGIN_TYPE} bundle" once /run/session/${USER}/${LOGIN_TYPE} reaches 0
lines.
It is supposed to be executed by "pam_exec.so".
It currently expects a s6-rc user-tree to be running as well as
/run/session/${USER} to exist, but it can be easily adapted to prepare
both by itself.
Part of the initial idea I got from Jan Braun, here:
https://skarnet.org/lists/supervision/3132.html.
Here is the (seriously, very crude) script:
#!/bin/execlineb
multisubstitute
{
importas -Si PAM_SERVICE
importas -Si PAM_USER
importas -Si PAM_TYPE
define SESSIONDIR /run/session
}
define XDG_RUNTIME_DIR /run/user/${PAM_USER}
s6-setuidgid ${PAM_USER}
case ${PAM_TYPE}
{
open_session
{
foreground { redirfd -a 1
${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} echo "" }
backtick -ED 0 COUNTER { grep -c ^
${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} }
ifelse { test ${COUNTER} -eq 1 }
{
s6-rc -l ${XDG_RUNTIME_DIR}/s6-rc start ${PAM_SERVICE}
}
exit
}
close_session
{
foreground { sed -i $d ${SESSIONDIR}/${PAM_USER}/${PAM_SERVICE} }
elglob SESSIONS ${SESSIONDIR}/${PAM_USER}/*
backtick -ED 0 COUNTER { pipeline { cat ${SESSIONS} } grep -c ^ }
foreground { redirfd -w 1 /home/Nanderty/g6log echo ${COUNTER} }
ifelse { test ${COUNTER} -eq 0 }
{
s6-rc -l ${XDG_RUNTIME_DIR}/s6-rc stop alllogins
}
exit
}
}
I currently see the following things this approach allows, that
Turnstile does not:
- Differentiation between different login methods
- Autostart of user services at boot time, no matter the login state
(not directly enabled by the script, but possible, since the user
service tree is up whatsoever).
(Check these mails for reasons to have the two possibilities mentioned
above:
https://skarnet.org/lists/supervision/3130.html,
https://skarnet.org/lists/supervision/3114.html,
https://skarnet.org/lists/supervision/3121.html).
- Not having an additional daemon running.
- Exposing the session information through the filesystem, so that every
(privileged enough) process that needs to can make use of it.
Of course, Turnstile has a lot of other useful features this does not have.
What do you all think about this approach?
What handling of stopping the user-service bundles do you think is best,
stopping all on last logout, vs. stopping "all in the sshd bundle" on
last "sshd logout", ... ?
Any other alternatives?
Paul
Received on Thu Jul 11 2024 - 16:53:51 CEST