mirror of
https://git.proxmox.com/git/systemd
synced 2025-06-02 21:11:12 +00:00
135 lines
13 KiB
HTML
135 lines
13 KiB
HTML
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>pam_systemd</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
|
|
a.headerlink {
|
|
color: #c60f0f;
|
|
font-size: 0.8em;
|
|
padding: 0 4px 0 4px;
|
|
text-decoration: none;
|
|
visibility: hidden;
|
|
}
|
|
|
|
a.headerlink:hover {
|
|
background-color: #c60f0f;
|
|
color: white;
|
|
}
|
|
|
|
h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
|
|
visibility: visible;
|
|
}
|
|
</style><a href="index.html">Index </a>·
|
|
<a href="systemd.directives.html">Directives </a>·
|
|
<a href="../python-systemd/index.html">Python </a>·
|
|
<a href="../libudev/index.html">libudev </a>·
|
|
<a href="../libudev/index.html">gudev </a><span style="float:right">systemd 219</span><hr><div class="refentry"><a name="pam_systemd"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pam_systemd — Register user sessions in the systemd login manager</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">pam_systemd.so</code></p></div><div class="refsect1"><a name="idm140443616267392"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p><span class="command"><strong>pam_systemd</strong></span> registers user sessions with
|
|
the systemd login manager
|
|
<a href="systemd-logind.service.html"><span class="citerefentry"><span class="refentrytitle">systemd-logind.service</span>(8)</span></a>,
|
|
and hence the systemd control group hierarchy.</p><p>On login, this module ensures the following:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>If it does not exist yet, the user runtime
|
|
directory <code class="filename">/run/user/$USER</code> is created and
|
|
its ownership changed to the user that is logging
|
|
in.</p></li><li class="listitem"><p>The <code class="varname">$XDG_SESSION_ID</code>
|
|
environment variable is initialized. If auditing is available
|
|
and <span class="command"><strong>pam_loginuid.so</strong></span> was run before this
|
|
module (which is highly recommended), the variable is
|
|
initialized from the auditing session id
|
|
(<code class="filename">/proc/self/sessionid</code>). Otherwise, an
|
|
independent session counter is used.</p></li><li class="listitem"><p>A new systemd scope unit is created for the
|
|
session. If this is the first concurrent session of the user, an
|
|
implicit slice below <code class="filename">user.slice</code> is
|
|
automatically created and the scope placed into it. An instance
|
|
of the system service <code class="filename">user@.service</code>, which
|
|
runs the systemd user manager instance, is started.
|
|
</p></li></ol></div><p>On logout, this module ensures the following:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>If enabled in
|
|
<a href="logind.conf.html"><span class="citerefentry"><span class="refentrytitle">logind.conf</span>(5)</span></a>, all processes of the
|
|
session are terminated. If the last concurrent session of a user
|
|
ends, the user's systemd instance will be terminated too, and so
|
|
will the user's slice unit.</p></li><li class="listitem"><p>If the last concurrent session of a user ends,
|
|
the <code class="varname">$XDG_RUNTIME_DIR</code> directory and all its
|
|
contents are removed, too.</p></li></ol></div><p>If the system was not booted up with systemd as init system,
|
|
this module does nothing and immediately returns
|
|
<code class="constant">PAM_SUCCESS</code>.</p></div><div class="refsect1"><a name="idm140443616252800"></a><h2 id="Options">Options<a class="headerlink" title="Permalink to this headline" href="#Options">¶</a></h2><p>The following options are understood:</p><div class="variablelist"><dl class="variablelist"><dt id="class="><span class="term"><code class="option">class=</code></span><a class="headerlink" title="Permalink to this term" href="#class=">¶</a></dt><dd><p>Takes a string argument which sets the session
|
|
class. The XDG_SESSION_CLASS environmental variable takes
|
|
precedence. One of
|
|
"<code class="literal">user</code>",
|
|
"<code class="literal">greeter</code>",
|
|
"<code class="literal">lock-screen</code>" or
|
|
"<code class="literal">background</code>". See
|
|
<a href="sd_session_get_class.html"><span class="citerefentry"><span class="refentrytitle">sd_session_get_class</span>(3)</span></a>
|
|
for details about the session class.</p></dd><dt id="type="><span class="term"><code class="option">type=</code></span><a class="headerlink" title="Permalink to this term" href="#type=">¶</a></dt><dd><p>Takes a string argument which sets the session
|
|
type. The XDG_SESSION_TYPE environmental variable takes
|
|
precedence. One of
|
|
"<code class="literal">unspecified</code>",
|
|
"<code class="literal">tty</code>",
|
|
"<code class="literal">x11</code>",
|
|
"<code class="literal">wayland</code>" or
|
|
"<code class="literal">mir</code>". See
|
|
<a href="sd_session_get_type.html"><span class="citerefentry"><span class="refentrytitle">sd_session_get_type</span>(3)</span></a>
|
|
for details about the session type.</p></dd><dt id="debug="><span class="term"><code class="option">debug[<span class="optional">=</span>]</code></span><a class="headerlink" title="Permalink to this term" href="#debug=">¶</a></dt><dd><p>Takes an optional
|
|
boolean argument. If yes or without
|
|
the argument, the module will log
|
|
debugging information as it
|
|
operates.</p></dd></dl></div></div><div class="refsect1"><a name="idm140443620141168"></a><h2 id="Module Types Provided">Module Types Provided<a class="headerlink" title="Permalink to this headline" href="#Module%20Types%20Provided">¶</a></h2><p>Only <code class="option">session</code> is provided.</p></div><div class="refsect1"><a name="idm140443620139504"></a><h2 id="Environment">Environment<a class="headerlink" title="Permalink to this headline" href="#Environment">¶</a></h2><p>The following environment variables are set for the
|
|
processes of the user's session:</p><div class="variablelist"><dl class="variablelist"><dt id="$XDG_SESSION_ID"><span class="term"><code class="varname">$XDG_SESSION_ID</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_SESSION_ID">¶</a></dt><dd><p>A session identifier, suitable to be used in
|
|
filenames. The string itself should be considered opaque,
|
|
although often it is just the audit session ID as reported by
|
|
<code class="filename">/proc/self/sessionid</code>. Each ID will be
|
|
assigned only once during machine uptime. It may hence be used
|
|
to uniquely label files or other resources of this
|
|
session.</p></dd><dt id="$XDG_RUNTIME_DIR"><span class="term"><code class="varname">$XDG_RUNTIME_DIR</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_RUNTIME_DIR">¶</a></dt><dd><p>Path to a user-private user-writable directory
|
|
that is bound to the user login time on the machine. It is
|
|
automatically created the first time a user logs in and
|
|
removed on the user's final logout. If a user logs in twice at
|
|
the same time, both sessions will see the same
|
|
<code class="varname">$XDG_RUNTIME_DIR</code> and the same contents. If
|
|
a user logs in once, then logs out again, and logs in again,
|
|
the directory contents will have been lost in between, but
|
|
applications should not rely on this behavior and must be able
|
|
to deal with stale files. To store session-private data in
|
|
this directory, the user should include the value of
|
|
<code class="varname">$XDG_SESSION_ID</code> in the filename. This
|
|
directory shall be used for runtime file system objects such
|
|
as <code class="constant">AF_UNIX</code> sockets, FIFOs, PID files and
|
|
similar. It is guaranteed that this directory is local and
|
|
offers the greatest possible file system feature set the
|
|
operating system provides. For further details see the <a class="ulink" href="http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html" target="_top">XDG
|
|
Base Directory Specification</a>.</p></dd></dl></div><p>The following environment variables are read by the module
|
|
and may be used by the PAM service to pass metadata to the
|
|
module:</p><div class="variablelist"><dl class="variablelist"><dt id="$XDG_SESSION_TYPE"><span class="term"><code class="varname">$XDG_SESSION_TYPE</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_SESSION_TYPE">¶</a></dt><dd><p>The session type. This may be used instead of
|
|
<code class="option">session=</code> on the module parameter line, and is
|
|
usually preferred.</p></dd><dt id="$XDG_SESSION_CLASS"><span class="term"><code class="varname">$XDG_SESSION_CLASS</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_SESSION_CLASS">¶</a></dt><dd><p>The session class. This may be used instead of
|
|
<code class="option">class=</code> on the module parameter line, and is
|
|
usually preferred.</p></dd><dt id="$XDG_SESSION_DESKTOP"><span class="term"><code class="varname">$XDG_SESSION_DESKTOP</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_SESSION_DESKTOP">¶</a></dt><dd><p>A single, short identifier string for the
|
|
desktop environment. This may be used to indicate the session
|
|
desktop used, where this applies and if this information is
|
|
available. For example: "<code class="literal">GNOME</code>", or
|
|
"<code class="literal">KDE</code>". It is recommended to use the same
|
|
identifiers and capitalization as for
|
|
<code class="varname">$XDG_CURRENT_DESKTOP</code>, as defined by the
|
|
<a class="ulink" href="http://standards.freedesktop.org/desktop-entry-spec/latest/" target="_top">Desktop
|
|
Entry Specification</a>. (However, note that
|
|
<code class="varname">$XDG_SESSION_DESKTOP</code> only takes a single
|
|
item, and not a colon-separated list like
|
|
<code class="varname">$XDG_CURRENT_DESKTOP</code>.) See
|
|
<a href="sd_session_get_desktop.html"><span class="citerefentry"><span class="refentrytitle">sd_session_get_desktop</span>(3)</span></a>
|
|
for more details.</p></dd><dt id="$XDG_SEAT"><span class="term"><code class="varname">$XDG_SEAT</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_SEAT">¶</a></dt><dd><p>The seat name the session shall be registered
|
|
for, if any.</p></dd><dt id="$XDG_VTNR"><span class="term"><code class="varname">$XDG_VTNR</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_VTNR">¶</a></dt><dd><p>The VT number the session shall be registered
|
|
for, if any. (Only applies to seats with a VT available, such
|
|
as "<code class="literal">seat0</code>")</p></dd></dl></div></div><div class="refsect1"><a name="idm140443620108656"></a><h2 id="Example">Example<a class="headerlink" title="Permalink to this headline" href="#Example">¶</a></h2><pre class="programlisting">#%PAM-1.0
|
|
auth required pam_unix.so
|
|
auth required pam_nologin.so
|
|
account required pam_unix.so
|
|
password required pam_unix.so
|
|
session required pam_unix.so
|
|
session required pam_loginuid.so
|
|
session required pam_systemd.so</pre></div><div class="refsect1"><a name="idm140443615193888"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p>
|
|
<a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
|
|
<a href="systemd-logind.service.html"><span class="citerefentry"><span class="refentrytitle">systemd-logind.service</span>(8)</span></a>,
|
|
<a href="logind.conf.html"><span class="citerefentry"><span class="refentrytitle">logind.conf</span>(5)</span></a>,
|
|
<a href="loginctl.html"><span class="citerefentry"><span class="refentrytitle">loginctl</span>(1)</span></a>,
|
|
<a href="http://man7.org/linux/man-pages/man5/pam.conf.5.html"><span class="citerefentry"><span class="refentrytitle">pam.conf</span>(5)</span></a>,
|
|
<a href="http://man7.org/linux/man-pages/man5/pam.d.5.html"><span class="citerefentry"><span class="refentrytitle">pam.d</span>(5)</span></a>,
|
|
<a href="http://man7.org/linux/man-pages/man8/pam.8.html"><span class="citerefentry"><span class="refentrytitle">pam</span>(8)</span></a>,
|
|
<a href="http://man7.org/linux/man-pages/man8/pam_loginuid.8.html"><span class="citerefentry"><span class="refentrytitle">pam_loginuid</span>(8)</span></a>,
|
|
<a href="systemd.scope.html"><span class="citerefentry"><span class="refentrytitle">systemd.scope</span>(5)</span></a>,
|
|
<a href="systemd.slice.html"><span class="citerefentry"><span class="refentrytitle">systemd.slice</span>(5)</span></a>,
|
|
<a href="systemd.service.html"><span class="citerefentry"><span class="refentrytitle">systemd.service</span>(5)</span></a>
|
|
</p></div></div></body></html>
|