exec-invoke: Always go via stdin fd in setup_pam() to get tty

We might have resolved the tty to something else if it was set to /dev/console, so let's always go via stdin in setup_pam(). This also means we won't set the pam tty if only stdout or stderr are connected to a tty, which seems like a sensible thing to do.
2026-04-14 08:25:20 +09:00 · 2025-04-03 16:25:15 +02:00
parent 6f1d594d63
commit 2b0087e5b1
1 changed files with 8 additions and 8 deletions
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -1201,6 +1201,7 @@ static int setup_pam(

        _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
        _cleanup_strv_free_ char **e = NULL;
+        _cleanup_free_ char *tty = NULL;
        pam_handle_t *handle = NULL;
        sigset_t old_ss;
        int pam_code = PAM_SUCCESS, r;
@@ -1236,15 +1237,14 @@ static int setup_pam(
                goto fail;
        }

-        const char *tty = context->tty_path;
-        if (!tty) {
-                _cleanup_free_ char *q = NULL;
+        if (getttyname_malloc(STDIN_FILENO, &tty) >= 0) {
+                _cleanup_free_ char *q = path_join("/dev", tty);
+                if (!q) {
+                        r = -ENOMEM;
+                        goto fail;
+                }

-                /* Hmm, so no TTY was explicitly passed, but an fd passed to us directly might be a TTY. Let's figure
-                 * out if that's the case, and read the TTY off it. */
-
-                if (getttyname_malloc(STDIN_FILENO, &q) >= 0)
-                        tty = strjoina("/dev/", q);
+                free_and_replace(tty, q);
        }

        if (tty) {