pam_systemd.xml revision e670b166a08b7c1031a9e7d7675fa9a29c3e19c9
97a9a944b5887e91042b019776c41d5dd74557aferikabele<?xml version='1.0'?> <!--*-nxml-*-->
97a9a944b5887e91042b019776c41d5dd74557aferikabele<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
97a9a944b5887e91042b019776c41d5dd74557aferikabele "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive<!--
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive This file is part of systemd.
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end Copyright 2010 Lennart Poettering
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end systemd is free software; you can redistribute it and/or modify it
5a58787efeb02a1c3f06569d019ad81fd2efa06end under the terms of the GNU Lesser General Public License as published by
5a58787efeb02a1c3f06569d019ad81fd2efa06end the Free Software Foundation; either version 2.1 of the License, or
5a58787efeb02a1c3f06569d019ad81fd2efa06end (at your option) any later version.
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end systemd is distributed in the hope that it will be useful, but
52fff662005b1866a3ff09bb6c902800c5cc6dedjerenkrantz WITHOUT ANY WARRANTY; without even the implied warranty of
5a58787efeb02a1c3f06569d019ad81fd2efa06end MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5a58787efeb02a1c3f06569d019ad81fd2efa06end Lesser General Public License for more details.
5a58787efeb02a1c3f06569d019ad81fd2efa06end
4b5981e276e93df97c34e4da05ca5cf8bbd937dand You should have received a copy of the GNU Lesser General Public License
5a58787efeb02a1c3f06569d019ad81fd2efa06end along with systemd; If not, see <http://www.gnu.org/licenses/>.
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd-->
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd<refentry id="pam_systemd">
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd <refentryinfo>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd <title>pam_systemd</title>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <productname>systemd</productname>
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end <authorgroup>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <author>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <contrib>Developer</contrib>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <firstname>Lennart</firstname>
5a58787efeb02a1c3f06569d019ad81fd2efa06end <surname>Poettering</surname>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <email>lennart@poettering.net</email>
ced7ef1f8c0df1805da0e87dbc5a1b6282910573nd </author>
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive </authorgroup>
ced7ef1f8c0df1805da0e87dbc5a1b6282910573nd </refentryinfo>
b21197dc8e6b8c764fdcc24d4bae8b0eebb6bc4end
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <refmeta>
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <refentrytitle>pam_systemd</refentrytitle>
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <manvolnum>8</manvolnum>
97a9a944b5887e91042b019776c41d5dd74557aferikabele </refmeta>
f8396ed8364b56ec8adeaa49cac35a929758a29eslive
97a9a944b5887e91042b019776c41d5dd74557aferikabele <refnamediv>
f8396ed8364b56ec8adeaa49cac35a929758a29eslive <refname>pam_systemd</refname>
f8396ed8364b56ec8adeaa49cac35a929758a29eslive <refpurpose>Register user sessions in the systemd login manager</refpurpose>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </refnamediv>
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end <refsynopsisdiv>
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd <para><filename>pam_systemd.so</filename></para>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </refsynopsisdiv>
deeee6bb6fd94c0ba5f3730b58abd9d299c89ccdnd
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <refsect1>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <title>Description</title>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <para><command>pam_systemd</command> registers user
117c1f888a14e73cdd821dc6c23eb0411144a41cnd sessions in the systemd login manager
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
117c1f888a14e73cdd821dc6c23eb0411144a41cnd and hence the systemd control group hierarchy.</para>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <para>On login, this module ensures the following:</para>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd
2bc7f1cf720973a67f8ff7a8d523e40569ae5b6cnd <orderedlist>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <listitem><para>If it does not exist yet, the
117c1f888a14e73cdd821dc6c23eb0411144a41cnd user runtime directory
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <filename>/run/user/$USER</filename> is
117c1f888a14e73cdd821dc6c23eb0411144a41cnd created and its ownership changed to the user
117c1f888a14e73cdd821dc6c23eb0411144a41cnd that is logging in.</para></listitem>
117c1f888a14e73cdd821dc6c23eb0411144a41cnd
87ffb6e33f3cbef3b9bb406cc2d27039fa336eaatrawick <listitem><para>The
117c1f888a14e73cdd821dc6c23eb0411144a41cnd <varname>$XDG_SESSION_ID</varname> environment
5a58787efeb02a1c3f06569d019ad81fd2efa06end variable is initialized. If auditing is
5a58787efeb02a1c3f06569d019ad81fd2efa06end available and
5a58787efeb02a1c3f06569d019ad81fd2efa06end <command>pam_loginuid.so</command> run before
5a58787efeb02a1c3f06569d019ad81fd2efa06end this module (which is highly recommended), the
5a58787efeb02a1c3f06569d019ad81fd2efa06end variable is initialized from the auditing
5a58787efeb02a1c3f06569d019ad81fd2efa06end session id
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd (<filename>/proc/self/sessionid</filename>). Otherwise
a63f0ab647ad2ab72efc9bea7a66e24e9ebc5cc2nd an independent session counter is
5a58787efeb02a1c3f06569d019ad81fd2efa06end used.</para></listitem>
5a58787efeb02a1c3f06569d019ad81fd2efa06end
5a58787efeb02a1c3f06569d019ad81fd2efa06end <listitem><para>A new control group
5a58787efeb02a1c3f06569d019ad81fd2efa06end <filename>/user/$USER/$XDG_SESSION_ID</filename>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick is created and the login process moved into
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick it.</para></listitem>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick </orderedlist>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <para>On logout, this module ensures the following:</para>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd <orderedlist>
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <listitem><para>If
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <varname>$XDG_SESSION_ID</varname> is set and
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <option>kill-session-processes=1</option> specified, all
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive remaining processes in the
97a9a944b5887e91042b019776c41d5dd74557aferikabele <filename>/user/$USER/$XDG_SESSION_ID</filename>
ced7ef1f8c0df1805da0e87dbc5a1b6282910573nd control group are killed and the control group
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive is removed.</para></listitem>
97a9a944b5887e91042b019776c41d5dd74557aferikabele
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <listitem><para>If the last subgroup of the
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <filename>/user/$USER</filename> control group
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive was removed the
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive <varname>$XDG_RUNTIME_DIR</varname> directory
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick and all its contents are
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick removed, too.</para></listitem>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick </orderedlist>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <para>If the system was not booted up with systemd as
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick init system, this module does nothing and immediately
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick returns PAM_SUCCESS.</para>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick </refsect1>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <refsect1>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <title>Options</title>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <para>The following options are understood:</para>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <variablelist class='pam-directives'>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <varlistentry>
77c77cf89621f21c8e2bbad63058b5eaa5f88d4ajim <term><option>kill-session-processes=</option></term>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
ced7ef1f8c0df1805da0e87dbc5a1b6282910573nd <listitem><para>Takes a boolean
ced7ef1f8c0df1805da0e87dbc5a1b6282910573nd argument. If true, all processes
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick created by the user during his session
e7131afdda636994bf3c7a6b2e77e5960fb62633nd and from his session will be
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick terminated when he logs out from his
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick session.</para></listitem>
ced7ef1f8c0df1805da0e87dbc5a1b6282910573nd </varlistentry>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <varlistentry>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <term><option>kill-only-users=</option></term>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <listitem><para>Takes a comma
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick separated list of user names or
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick numeric user ids as argument. If this
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick option is used the effect of the
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <option>kill-session-processes=</option> options
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick will apply only to the listed
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive users. If this option is not used the
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive option applies to all local
97a9a944b5887e91042b019776c41d5dd74557aferikabele users. Note that
92510838f2eb125726e15c5eb4f7a23c7a0396e4slive <option>kill-exclude-users=</option>
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd takes precedence over this list and is
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick hence subtracted from the list
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd specified here.</para></listitem>
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd </varlistentry>
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd <varlistentry>
8a6d5edcb07aeccca7afba02a17dd6904d6b206ctrawick <term><option>kill-exclude-users=</option></term>
ea8a727ff298d2f5368b55b7ae8d87091ae106e7nd
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <listitem><para>Takes a comma
e8d485701957d5c6de870111c112e168a894d49and separated list of user names or
e8d485701957d5c6de870111c112e168a894d49and numeric user ids as argument. Users
e8d485701957d5c6de870111c112e168a894d49and listed in this argument will not be
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive subject to the effect of
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <option>kill-session-processes=</option>. Note
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive that this option takes precedence
9bcfc3697a91b5215893a7d0206865b13fc72148nd over
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive <option>kill-only-users=</option>, and
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive hence whatever is listed for
06ba4a61654b3763ad65f52283832ebf058fdf1cslive <option>kill-exclude-users=</option>
97a9a944b5887e91042b019776c41d5dd74557aferikabele is guaranteed to never be killed by
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive this PAM module, independent of any
9b6a3a558cc90ffdaa0b50bd02546ffec424ded7slive other configuration
5a58787efeb02a1c3f06569d019ad81fd2efa06end setting.</para></listitem>
5a58787efeb02a1c3f06569d019ad81fd2efa06end </varlistentry>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd <varlistentry>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd <term><option>controllers=</option></term>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd <listitem><para>Takes a comma
4b22542f6f38567cae7873b176188a6622f67eb0fielding separated list of control group
5a58787efeb02a1c3f06569d019ad81fd2efa06end controllers in which hierarchies a
5a58787efeb02a1c3f06569d019ad81fd2efa06end user/session control group will be
created by default for each user
logging in, in addition to the control
group in the named 'name=systemd'
hierarchy. If omitted, defaults to an
empty list.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>reset-controllers=</option></term>
<listitem><para>Takes a comma
separated list of control group
controllers in which hierarchies the
logged in processes will be reset to
the root control
group.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>class=</option></term>
<listitem><para>Takes a string
argument which sets the session class.
The XDG_SESSION_CLASS environmental variable
takes precedence.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>debug=</option></term>
<listitem><para>Takes a boolean
argument. If yes, the module will log
debugging information as it
operates.</para></listitem>
</varlistentry>
</variablelist>
<para>Note that setting
<varname>kill-session-processes=1</varname> will break tools
like
<citerefentry><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
<para>Note that
<varname>kill-session-processes=1</varname> is a
stricter version of
<varname>KillUserProcesses=1</varname> which may be
configured system-wide in
<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
former kills processes of a session as soon as it
ends, the latter kills processes as soon as the last
session of the user ends.</para>
<para>If the options are omitted they default to
<option>kill-session-processes=0</option>,
<option>kill-only-users=</option>,
<option>kill-exclude-users=</option>,
<option>controllers=</option>,
<option>reset-controllers=</option>,
<option>debug=no</option>.</para>
</refsect1>
<refsect1>
<title>Module Types Provided</title>
<para>Only <option>session</option> is provided.</para>
</refsect1>
<refsect1>
<title>Environment</title>
<para>The following environment variables are set for the processes of the user's session:</para>
<variablelist class='environment-variables'>
<varlistentry>
<term><varname>$XDG_SESSION_ID</varname></term>
<listitem><para>A session identifier,
suitable to be used in file names. The
string itself should be considered
opaque, although often it is just the
audit session ID as reported by
<filename>/proc/self/sessionid</filename>. Each
ID will be assigned only once during
machine uptime. It may hence be used
to uniquely label files or other
resources of this
session.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>$XDG_RUNTIME_DIR</varname></term>
<listitem><para>Path to a user-private
user-writable directory that is bound
to the user login time on the
machine. It is automatically created
the first time a user logs in and
removed on his final logout. If a user
logs in twice at the same time, both
sessions will see the same
<varname>$XDG_RUNTIME_DIR</varname>
and the same contents. If a user logs
in once, then logs out again, and logs
in again, the directory contents will
have been lost in between, but
applications should not rely on this
behavior and must be able to deal with
stale files. To store session-private
data in this directory the user should
include the value of <varname>$XDG_SESSION_ID</varname>
in the filename. This directory shall
be used for runtime file system
objects such as AF_UNIX sockets,
FIFOs, PID files and similar. It is
guaranteed that this directory is
local and offers the greatest possible
file system feature set the
operating system
provides.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<programlisting>#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
session required pam_systemd.so kill-session-processes=1</programlisting>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>