[thirdparty/systemd.git] / units / systemd-logind.service.in

#  SPDX-License-Identifier: LGPL-2.1+
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Login Service
Documentation=man:systemd-logind.service(8) man:logind.conf(5)
Documentation=https://www.freedesktop.org/wiki/Software/systemd/logind
Documentation=https://www.freedesktop.org/wiki/Software/systemd/multiseat
Wants=user.slice
After=nss-user-lookup.target user.slice

# Ask for the dbus socket.
Wants=dbus.socket
After=dbus.socket

[Service]
BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
DeviceAllow=char-/dev/console rw
DeviceAllow=char-drm rw
DeviceAllow=char-input rw
DeviceAllow=char-tty rw
DeviceAllow=char-vcs rw
# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
ExecStartPre=-/sbin/modprobe -abq drm
ExecStart=@rootlibexecdir@/systemd-logind
FileDescriptorStoreMax=512
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectSystem=strict
ReadWritePaths=/etc /run
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
RuntimeDirectoryPreserve=yes
StateDirectory=systemd/linger
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
WatchdogSec=3min

# Increase the default a bit in order to allow many simultaneous logins since
# we keep one fd open per session.
LimitNOFILE=@HIGH_RLIMIT_NOFILE@
Commit	Line	Data
a7df2d1e ZJS	1	# SPDX-License-Identifier: LGPL-2.1+
a7df2d1e ZJS	2	#
91f9dcaf LP	3	# This file is part of systemd.
	4	#
	5	# systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	6	# under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	7	# the Free Software Foundation; either version 2.1 of the License, or
91f9dcaf LP	8	# (at your option) any later version.
91f9dcaf LP	9
91f9dcaf LP	10	[Unit]
91f9dcaf LP	11	Description=Login Service
3f612b91	12	Documentation=man:systemd-logind.service(8) man:logind.conf(5)
16a5d412 DR	13	Documentation=https://www.freedesktop.org/wiki/Software/systemd/logind
16a5d412 DR	14	Documentation=https://www.freedesktop.org/wiki/Software/systemd/multiseat
1ee306e1 LP	15	Wants=user.slice
1ee306e1 LP	16	After=nss-user-lookup.target user.slice
91f9dcaf	17
a132bef0	18	# Ask for the dbus socket.
8f9c6fe5 ZJS	19	Wants=dbus.socket
	20	After=dbus.socket
	21
91f9dcaf	22	[Service]
91f9dcaf	23	BusName=org.freedesktop.login1
11dce8e2	24	CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
9af28206 TM	25	DeviceAllow=char-/dev/console rw
	26	DeviceAllow=char-drm rw
	27	DeviceAllow=char-input rw
	28	DeviceAllow=char-tty rw
	29	DeviceAllow=char-vcs rw
11aa16bb LP	30	# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
11aa16bb LP	31	ExecStartPre=-/sbin/modprobe -abq drm
3ca9940c LP	32	ExecStart=@rootlibexecdir@/systemd-logind
	33	FileDescriptorStoreMax=512
	34	IPAddressDeny=any
	35	LockPersonality=yes
40652ca4	36	MemoryDenyWriteExecute=yes
3ca9940c	37	NoNewPrivileges=yes
11dce8e2 ZJS	38	PrivateTmp=yes
	39	ProtectControlGroups=yes
	40	ProtectHome=yes
99894b86	41	ProtectHostname=yes
11dce8e2 ZJS	42	ProtectKernelModules=yes
	43	ProtectSystem=strict
	44	ReadWritePaths=/etc /run
3ca9940c LP	45	Restart=always
3ca9940c LP	46	RestartSec=0
dea63635	47	RestrictAddressFamilies=AF_UNIX AF_NETLINK
3ca9940c LP	48	RestrictNamespaces=yes
3ca9940c LP	49	RestrictRealtime=yes
62aa2924	50	RestrictSUIDSGID=yes
11dce8e2 ZJS	51	RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
11dce8e2 ZJS	52	RuntimeDirectoryPreserve=yes
19483c60	53	StateDirectory=systemd/linger
7f396e5f	54	SystemCallArchitectures=native
3ca9940c LP	55	SystemCallErrorNumber=EPERM
	56	SystemCallFilter=@system-service
	57	WatchdogSec=3min
f84aea43	58
c35ee02c LP	59	# Increase the default a bit in order to allow many simultaneous logins since
c35ee02c LP	60	# we keep one fd open per session.
c02b6ee4	61	LimitNOFILE=@HIGH_RLIMIT_NOFILE@