GDM blocks SIGUSR1 used by PAM scripts
In case of the following scenario:
- PAM configured to run auth and session with pam_exec scripts synchronizing via SIGUSR1
- Using GDM as the login manager causes SIGUSR1 never reaches the target scripts.
Workaround:
- Use SIGUSR2 in the scripts.
- Comment out block_sigusr1() call in daemon/main.c.
To reproduce add the following entries: /etc/pam.d/common-auth: auth optional pam_exec.so log=/tmp/auth.log expose_authtok quiet /usr/local/bin/auth.py
/etc/pam.d/common-session: session optional pam_exec.so log=/tmp/session.log /usr/local/bin/session.py
Attaching example scripts: *auth.py *session.py
When using SIGUSR1 - sigusr1_handler is never called, with SIGUSR2 it is called without issues.
I've seen SIGUSR1 used in the code in 3 contexts - first in a mask to block signals (daemon/main.c:301), as an argument to g_unix_signal_add (daemon/session-worker-main.c:127) and in daemon/gdm-server:167 in a mask allowing sigusr1_thread_main to handle only this signal.
I'm not sure whether all 3 contexts are necessary. My guess is the signals blocked in daemon/main.c:324 never get unblocked or are unblocked too late for PAM. This issue is not reproducible when using e.g. LightDM instead of GDM.
If PAM scripts should not use SIGUSR1 with GDM it should be documented somewhere; otherwise if that's allowed - we may be dealing with a bug.