"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="pam_systemd" conditional='HAVE_PAM'>
+<refentry id="pam_systemd" conditional='HAVE_PAM' xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>pam_systemd</title>
and hence the systemd control group hierarchy.</para>
<para>The module also applies various resource management and runtime parameters to the new session, as
- configured in the <ulink url="https://systemd.io/USER_RECORD">JSON User Record</ulink> of the user, when
+ configured in the <ulink url="https://systemd.io/USER_RECORD">JSON User Records</ulink> of the user, when
one is defined.</para>
<para>On login, this module — in conjunction with <filename>systemd-logind.service</filename> — ensures the
indicate the session desktop used, where this applies and if this information is available. For example:
<literal>GNOME</literal>, or <literal>KDE</literal>. It is recommended to use the same identifiers and
capitalization as for <varname>$XDG_CURRENT_DESKTOP</varname>, as defined by the <ulink
- url="http://standards.freedesktop.org/desktop-entry-spec/latest/">Desktop Entry
+ url="https://standards.freedesktop.org/desktop-entry-spec/latest/">Desktop Entry
Specification</ulink>. (However, note that the option only takes a single item, and not a colon-separated list
like <varname>$XDG_CURRENT_DESKTOP</varname>.) See
<citerefentry><refentrytitle>sd_session_get_desktop</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
further details.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>default-capability-bounding-set=</varname></term>
+ <term><varname>default-capability-ambient-set=</varname></term>
+
+ <listitem><para>Takes a comma-separated list of process capabilities
+ (e.g. <constant>CAP_WAKE_ALARM</constant>, <constant>CAP_BLOCK_SUSPEND</constant>, …) to set for the
+ invoked session's processes, if the user record does not encode appropriate sets of capabilities
+ directly. See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details on the capabilities concept. If not specified, the default bounding set is left as is
+ (i.e. usually contains the full set of capabilities). The default ambient set is set to
+ <constant>CAP_WAKE_ALARM</constant> for regular users if the PAM session is associated with a local
+ seat or if it is invoked for the <literal>systemd-user</literal> service. Otherwise defaults to the
+ empty set.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>debug</varname><optional>=</optional></term>
similar. It is guaranteed that this directory is local and
offers the greatest possible file system feature set the
operating system provides. For further details, see the <ulink
- url="http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html">XDG
+ url="https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html">XDG
Base Directory Specification</ulink>. <varname>$XDG_RUNTIME_DIR</varname>
is not set if the current user is not the original user of the session.</para></listitem>
</varlistentry>
<title>Session limits</title>
<para>PAM modules earlier in the stack, that is those that come before <command>pam_systemd.so</command>,
- can set session scope limits using the PAM context objects. The data for these objects is provided as NUL-terminated C strings
+ can set session scope limits using the PAM context objects. The data for these objects is provided as <constant>NUL</constant>-terminated C strings
and maps directly to the respective unit resource control directives. Note that these limits apply to individual sessions of the user,
they do not apply to all user processes as a combined whole. In particular, the per-user <command>user@.service</command> unit instance,
which runs the <command>systemd --user</command> manager process and its children, and is tracked outside of any session, being shared
account required pam_permit.so
-password sufficient pam_systemd_home.so
-password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
+password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
+
password required pam_deny.so
-session optional pam_keyinit.so revoke
projects / thirdparty / systemd.git / blobdiff