Deprecate the pam_console/pam_foreground flag-file directory

This feature is now compile-time conditional, and off by default.

pam_console appears to have been in Fedora and Gentoo until 2007.
pam_foreground seems to be specific to Debian and Ubuntu, where it was
unmaintained since 2008 and removed in 2010. The replacement for both
was ConsoleKit, which has itself been superseded by systemd-logind and
ConsoleKit2.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/101629
Reviewed-by: Philip Withnall <withnall@endlessm.com>

NEWS

@@ -1,6 +1,19 @@
 D-Bus 1.11.18 (UNRELEASED)
 ==
 
+Build-time configuration changes:
+
+• By default, dbus-daemon on Unix no longer checks for flag files
+  /var/run/console/${username} created by the obsolete pam_console and
+  pam_foreground PAM modules when deciding whether ${username} is
+  currently at the console. The old default behaviour can be restored
+  by specifying --with-console-auth-dir=/var/run/console in the
+  recommended Autotools build system, or
+  -DDBUS_CONSOLE_AUTH_DIR=/var/run/console in CMake. This feature is
+  now deprecated, and will be removed in dbus 1.13 unless feedback via
+  fd.o #101629 indicates that this would be problematic.
+  (fd.o #101629, Simon McVittie)
+
 Enhancements:
 
 • <allow> and <deny> rules in dbus-daemon configuration can now

cmake/CMakeLists.txt

@@ -435,11 +435,7 @@ endif()
  # Not used on Windows, where there is no system bus
 set (DBUS_SYSTEM_PID_FILE ${DBUS_RUNSTATEDIR}/dbus/pid)
 
-if (WIN32)
-	set (DBUS_CONSOLE_AUTH_DIR "")
-else (WIN32)
-	set (DBUS_CONSOLE_AUTH_DIR "/var/run/console/")
-endif (WIN32)
+set (DBUS_CONSOLE_AUTH_DIR "" CACHE STRING "Directory to check for pam_console/pam_foreground flag files, or empty to ignore")
 
 # This won't work on Windows. It's not meant to - the system bus is
 # meaningless on Windows anyway.
@@ -611,7 +607,13 @@ message("        System bus socket:        ${DBUS_SYSTEM_SOCKET}               "
 message("        System bus PID file:      ${DBUS_SYSTEM_PID_FILE}             ")
 message("        System bus user:          ${DBUS_USER}                        ")
 message("        Session bus socket dir:   ${DBUS_SESSION_SOCKET_DIR}          ")
-message("        Console auth dir:         ${DBUS_CONSOLE_AUTH_DIR}            ")
+
+if(DBUS_CONSOLE_AUTH_DIR)
+message("        pam_console auth dir:     ${DBUS_CONSOLE_AUTH_DIR}            ")
+else()
+message("        pam_console auth dir:     (none)                              ")
+endif()
+
 message("        'make check' socket dir:  ${TEST_SOCKET_DIR}                  ")
 endif()
 message("        Test listen address:      ${TEST_LISTEN}                      ")

configure.ac

@@ -1606,16 +1606,10 @@ fi
 AC_SUBST(DBUS_SYSTEM_PID_FILE)
 
 #### Directory to check for console ownership
-if ! test -z "$with_console_auth_dir"; then
-   DBUS_CONSOLE_AUTH_DIR=$with_console_auth_dir
-else
-   # We don't use runstatedir for this, because /var/run is the
-   # path that was traditionally used by pam_console and pam_foreground.
-   DBUS_CONSOLE_AUTH_DIR=/var/run/console/
-fi
-
-AC_SUBST(DBUS_CONSOLE_AUTH_DIR)
-AC_DEFINE_UNQUOTED(DBUS_CONSOLE_AUTH_DIR, "$DBUS_CONSOLE_AUTH_DIR", [Directory to check for console ownerhip])
+AS_IF([test -n "$with_console_auth_dir" && test "x$with_console_auth_dir" != xno],
+    [AC_DEFINE_UNQUOTED([DBUS_CONSOLE_AUTH_DIR], ["$with_console_auth_dir"],
+        [Directory to check for pam_console/pam_foreground flag files, or undefined])],
+    [with_console_auth_dir=])
 
 #### File to check for console ownership
 if test x$have_console_owner_file = xyes; then
@@ -1982,7 +1976,7 @@ echo "
         System bus PID file:      ${DBUS_SYSTEM_PID_FILE}
         Session bus listens on:   ${DBUS_SESSION_BUS_LISTEN_ADDRESS}
         Session clients connect to: ${DBUS_SESSION_BUS_CONNECT_ADDRESS}
-        Console auth dir:         ${DBUS_CONSOLE_AUTH_DIR}
+        pam_console auth dir:     ${with_console_auth_dir:-(none)}
         Console owner file:       ${have_console_owner_file}
         Console owner file path:  ${DBUS_CONSOLE_OWNER_FILE}
 	System bus user:          ${DBUS_USER}

dbus/dbus-sysdeps-util-unix.c

@@ -548,7 +548,7 @@ dbus_bool_t
 _dbus_user_at_console (const char *username,
                        DBusError  *error)
 {
-
+#ifdef DBUS_CONSOLE_AUTH_DIR
   DBusString u, f;
   dbus_bool_t result;
 
@@ -579,6 +579,9 @@ _dbus_user_at_console (const char *username,
   _dbus_string_free (&f);
 
   return result;
+#else
+  return FALSE;
+#endif
 }
 
 

tools/ci-build.sh

@@ -175,6 +175,9 @@ case "$ci_buildsys" in
                 set "$@" --disable-launchd --disable-systemd
                 # No X11 autolaunching
                 set "$@" --disable-x11-autolaunch
+                # Re-enable the deprecated pam_console support to make
+                # sure it still builds
+                set "$@" --with-console-auth-dir=/var/run/console
                 shift
                 ;;