2010-06-24 05:11:04 +07:00
|
|
|
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
|
|
|
|
<!--
|
|
|
|
This file is part of systemd.
|
|
|
|
|
|
|
|
Copyright 2010 Lennart Poettering
|
|
|
|
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
2012-04-12 05:20:58 +07:00
|
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
2010-06-24 05:11:04 +07:00
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
2012-04-12 05:20:58 +07:00
|
|
|
Lesser General Public License for more details.
|
2010-06-24 05:11:04 +07:00
|
|
|
|
2012-04-12 05:20:58 +07:00
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
2010-06-24 05:11:04 +07:00
|
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
-->
|
|
|
|
|
|
|
|
<refentry id="pam_systemd">
|
|
|
|
|
|
|
|
<refentryinfo>
|
|
|
|
<title>pam_systemd</title>
|
|
|
|
<productname>systemd</productname>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<contrib>Developer</contrib>
|
|
|
|
<firstname>Lennart</firstname>
|
|
|
|
<surname>Poettering</surname>
|
|
|
|
<email>lennart@poettering.net</email>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
</refentryinfo>
|
|
|
|
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>pam_systemd</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum>
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>pam_systemd</refname>
|
|
|
|
<refpurpose>Register user sessions in the systemd control group hierarchy</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
|
|
|
<command>pam_systemd.so</command>
|
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
<para><command>pam_systemd</command> registers user
|
|
|
|
sessions in the systemd control group
|
|
|
|
hierarchy.</para>
|
|
|
|
|
|
|
|
<para>On login, this module ensures the following:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
2010-06-25 05:04:29 +07:00
|
|
|
<listitem><para>If it does not exist yet, the
|
2010-06-24 05:11:04 +07:00
|
|
|
user runtime directory
|
2011-04-01 20:25:46 +07:00
|
|
|
<filename>/run/user/$USER</filename> is
|
2010-06-24 05:11:04 +07:00
|
|
|
created and its ownership changed to the user
|
|
|
|
that is logging in.</para></listitem>
|
|
|
|
|
2011-06-29 07:46:20 +07:00
|
|
|
<listitem><para>The
|
2010-06-24 05:11:04 +07:00
|
|
|
<varname>$XDG_SESSION_ID</varname> environment
|
|
|
|
variable is initialized. If auditing is
|
|
|
|
available and
|
|
|
|
<command>pam_loginuid.so</command> run before
|
2010-06-25 05:04:29 +07:00
|
|
|
this module (which is highly recommended), the
|
2010-06-24 05:11:04 +07:00
|
|
|
variable is initialized from the auditing
|
|
|
|
session id
|
|
|
|
(<filename>/proc/self/sessionid</filename>). Otherwise
|
|
|
|
an independent session counter is
|
|
|
|
used.</para></listitem>
|
|
|
|
|
2011-06-29 07:46:20 +07:00
|
|
|
<listitem><para>A new control group
|
2010-06-24 05:11:04 +07:00
|
|
|
<filename>/user/$USER/$XDG_SESSION_ID</filename>
|
|
|
|
is created and the login process moved into
|
|
|
|
it.</para></listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>On logout, this module ensures the following:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem><para>If
|
|
|
|
<varname>$XDG_SESSION_ID</varname> is set and
|
2011-06-29 07:46:20 +07:00
|
|
|
<option>kill-session-processes=1</option> specified, all
|
2010-06-24 05:11:04 +07:00
|
|
|
remaining processes in the
|
|
|
|
<filename>/user/$USER/$XDG_SESSION_ID</filename>
|
|
|
|
control group are killed and the control group
|
2010-06-25 05:04:29 +07:00
|
|
|
is removed.</para></listitem>
|
2010-06-24 05:11:04 +07:00
|
|
|
|
2011-06-29 07:46:20 +07:00
|
|
|
<listitem><para>If last subgroup of the
|
2010-06-24 05:11:04 +07:00
|
|
|
<filename>/user/$USER</filename> control group
|
|
|
|
was removed the
|
|
|
|
<varname>$XDG_RUNTIME_DIR</varname> directory
|
|
|
|
and all its contents are
|
|
|
|
removed, too.</para></listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>If the system was not booted up with systemd as
|
2010-06-25 05:04:29 +07:00
|
|
|
init system, this module does nothing and immediately
|
2010-06-24 05:11:04 +07:00
|
|
|
returns PAM_SUCCESS.</para>
|
|
|
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Options</title>
|
|
|
|
|
|
|
|
<para>The following options are understood:</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2011-06-29 07:46:20 +07:00
|
|
|
<term><option>kill-session-processes=</option></term>
|
2010-06-24 05:11:04 +07:00
|
|
|
|
|
|
|
<listitem><para>Takes a boolean
|
|
|
|
argument. If true, all processes
|
|
|
|
created by the user during his session
|
|
|
|
and from his session will be
|
|
|
|
terminated when he logs out from his
|
|
|
|
session.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2011-01-19 05:07:06 +07:00
|
|
|
<varlistentry>
|
2011-02-14 00:21:11 +07:00
|
|
|
<term><option>kill-only-users=</option></term>
|
2011-01-19 05:07:06 +07:00
|
|
|
|
2011-02-14 00:21:11 +07:00
|
|
|
<listitem><para>Takes a comma
|
|
|
|
separated list of user names or
|
|
|
|
numeric user ids as argument. If this
|
|
|
|
option is used the effect of the
|
2011-06-29 07:46:20 +07:00
|
|
|
<option>kill-session-processes=</option> options
|
2011-02-14 00:21:11 +07:00
|
|
|
will apply only to the listed
|
|
|
|
users. If this option is not used the
|
|
|
|
option applies to all local
|
|
|
|
users. Note that
|
|
|
|
<option>kill-exclude-users=</option>
|
|
|
|
takes precedence over this list and is
|
|
|
|
hence subtracted from the list
|
|
|
|
specified here.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><option>kill-exclude-users=</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Takes a comma
|
|
|
|
separated list of user names or
|
|
|
|
numeric user ids as argument. Users
|
|
|
|
listed in this argument will not be
|
|
|
|
subject to the effect of
|
2011-06-29 07:46:20 +07:00
|
|
|
<option>kill-session-processes=</option>. Note
|
2011-02-14 00:21:11 +07:00
|
|
|
that that this option takes precedence
|
|
|
|
over
|
|
|
|
<option>kill-only-users=</option>, and
|
|
|
|
hence whatever is listed for
|
|
|
|
<option>kill-exclude-users=</option>
|
|
|
|
is guaranteed to never be killed by
|
|
|
|
this PAM module, independent of any
|
|
|
|
other configuration
|
|
|
|
setting.</para></listitem>
|
2011-01-19 05:07:06 +07:00
|
|
|
</varlistentry>
|
|
|
|
|
2010-11-18 06:38:41 +07:00
|
|
|
<varlistentry>
|
|
|
|
<term><option>controllers=</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Takes a comma
|
2011-06-29 07:46:20 +07:00
|
|
|
separated list of control group
|
|
|
|
controllers in which hierarchies a
|
|
|
|
user/session control group will be
|
|
|
|
created by default for each user
|
|
|
|
logging in, in addition to the control
|
|
|
|
group in the named 'name=systemd'
|
2011-06-18 20:40:20 +07:00
|
|
|
hierarchy. If omitted, defaults to an
|
2011-06-29 07:46:20 +07:00
|
|
|
empty list.</para></listitem>
|
2011-02-04 18:46:38 +07:00
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><option>reset-controllers=</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Takes a comma
|
2011-06-29 07:46:20 +07:00
|
|
|
separated list of control group
|
|
|
|
controllers in which hierarchies the
|
|
|
|
logged in processes will be reset to
|
|
|
|
the root control
|
|
|
|
group.</para></listitem>
|
2010-11-18 06:38:41 +07:00
|
|
|
</varlistentry>
|
2011-05-27 06:29:34 +07:00
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><option>debug=</option></term>
|
|
|
|
|
|
|
|
<listitem><para>Takes a boolean
|
2011-06-29 07:46:20 +07:00
|
|
|
argument. If yes, the module will log
|
|
|
|
debugging information as it
|
|
|
|
operates.</para></listitem>
|
2011-05-27 06:29:34 +07:00
|
|
|
</varlistentry>
|
2010-06-24 05:11:04 +07:00
|
|
|
</variablelist>
|
|
|
|
|
2011-06-29 07:46:20 +07:00
|
|
|
<para>Note that setting
|
|
|
|
<varname>kill-session-processes=1</varname> will break tools
|
|
|
|
like
|
2010-06-24 05:11:04 +07:00
|
|
|
<citerefentry><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
|
|
|
|
|
2011-06-29 07:46:20 +07:00
|
|
|
<para>Note that
|
|
|
|
<varname>kill-session-processes=1</varname> is a
|
|
|
|
stricter version of
|
|
|
|
<varname>KillUserProcesses=1</varname> which may be
|
|
|
|
configured system-wide in
|
2012-03-31 04:18:33 +07:00
|
|
|
<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
|
2011-06-29 07:46:20 +07:00
|
|
|
former kills processes of a session as soon as it
|
|
|
|
ends, the latter kills processes as soon as the last
|
|
|
|
session of the user ends.</para>
|
|
|
|
|
2010-06-24 08:09:36 +07:00
|
|
|
<para>If the options are omitted they default to
|
2011-06-29 07:46:20 +07:00
|
|
|
<option>kill-session-processes=0</option>,
|
2011-02-14 00:21:11 +07:00
|
|
|
<option>kill-only-users=</option>,
|
2011-06-29 07:46:20 +07:00
|
|
|
<option>kill-exclude-users=</option>,
|
|
|
|
<option>controllers=</option>,
|
|
|
|
<option>reset-controllers=</option>,
|
|
|
|
<option>debug=no</option>.</para>
|
2010-06-24 05:11:04 +07:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Module Types Provided</title>
|
|
|
|
|
|
|
|
<para>Only <option>session</option> is provided.</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Environment</title>
|
|
|
|
|
2010-06-24 10:23:16 +07:00
|
|
|
<para>The following environment variables are set for the processes of the user's session:</para>
|
|
|
|
|
2010-06-24 05:11:04 +07:00
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><varname>$XDG_SESSION_ID</varname></term>
|
|
|
|
|
|
|
|
<listitem><para>A session identifier,
|
|
|
|
suitable to be used in file names. The
|
|
|
|
string itself should be considered
|
|
|
|
opaque, although often it is just the
|
|
|
|
audit session ID as reported by
|
|
|
|
<filename>/proc/self/sessionid</filename>. Each
|
|
|
|
ID will be assigned only once during
|
|
|
|
machine uptime. It may hence be used
|
|
|
|
to uniquely label files or other
|
|
|
|
resources of this
|
|
|
|
session.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><varname>$XDG_RUNTIME_DIR</varname></term>
|
|
|
|
|
|
|
|
<listitem><para>Path to a user-private
|
|
|
|
user-writable directory that is bound
|
|
|
|
to the user login time on the
|
|
|
|
machine. It is automatically created
|
|
|
|
the first time a user logs in and
|
|
|
|
removed on his final logout. If a user
|
|
|
|
logs in twice at the same time, both
|
|
|
|
sessions will see the same
|
|
|
|
<varname>$XDG_RUNTIME_DIR</varname>
|
|
|
|
and the same contents. If a user logs
|
|
|
|
in once, then logs out again, and logs
|
|
|
|
in again, the directory contents will
|
|
|
|
have been lost in between, but
|
|
|
|
applications should not rely on this
|
|
|
|
behaviour and must be able to deal with
|
|
|
|
stale files. To store session-private
|
|
|
|
data in this directory the user should
|
|
|
|
include the value of <varname>$XDG_SESSION_ID</varname>
|
|
|
|
in the filename. This directory shall
|
|
|
|
be used for runtime file system
|
|
|
|
objects such as AF_UNIX sockets,
|
|
|
|
FIFOs, PID files and similar. It is
|
|
|
|
guaranteed that this directory is
|
|
|
|
local and offers the greatest possible
|
|
|
|
file system feature set the
|
|
|
|
operating system
|
|
|
|
provides.</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Example</title>
|
|
|
|
|
|
|
|
<programlisting>#%PAM-1.0
|
|
|
|
auth required pam_unix.so
|
|
|
|
auth required pam_nologin.so
|
|
|
|
account required pam_unix.so
|
|
|
|
password required pam_unix.so
|
|
|
|
session required pam_unix.so
|
|
|
|
session required pam_loginuid.so
|
2011-06-29 07:46:20 +07:00
|
|
|
session required pam_systemd.so kill-session-processes=1</programlisting>
|
2010-06-24 05:11:04 +07:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See Also</title>
|
|
|
|
<para>
|
|
|
|
<citerefentry><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
|
<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
|
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
|
<citerefentry><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
2012-03-31 04:18:33 +07:00
|
|
|
<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
2010-06-24 05:11:04 +07:00
|
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
</refentry>
|