]>
Commit | Line | Data |
---|---|---|
160cd5c9 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | ||
5 | <!-- | |
6 | This file is part of systemd. | |
7 | ||
8 | Copyright 2010 Lennart Poettering | |
9 | ||
10 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
11 | under the terms of the GNU Lesser General Public License as published by |
12 | the Free Software Foundation; either version 2.1 of the License, or | |
160cd5c9 LP |
13 | (at your option) any later version. |
14 | ||
15 | systemd is distributed in the hope that it will be useful, but | |
16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 18 | Lesser General Public License for more details. |
160cd5c9 | 19 | |
5430f7f2 | 20 | You should have received a copy of the GNU Lesser General Public License |
160cd5c9 LP |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
22 | --> | |
23 | ||
24 | <refentry id="pam_systemd"> | |
25 | ||
26 | <refentryinfo> | |
27 | <title>pam_systemd</title> | |
28 | <productname>systemd</productname> | |
29 | ||
30 | <authorgroup> | |
31 | <author> | |
32 | <contrib>Developer</contrib> | |
33 | <firstname>Lennart</firstname> | |
34 | <surname>Poettering</surname> | |
35 | <email>lennart@poettering.net</email> | |
36 | </author> | |
37 | </authorgroup> | |
38 | </refentryinfo> | |
39 | ||
40 | <refmeta> | |
41 | <refentrytitle>pam_systemd</refentrytitle> | |
42 | <manvolnum>8</manvolnum> | |
43 | </refmeta> | |
44 | ||
45 | <refnamediv> | |
46 | <refname>pam_systemd</refname> | |
af3bccd6 | 47 | <refpurpose>Register user sessions in the systemd login manager</refpurpose> |
160cd5c9 LP |
48 | </refnamediv> |
49 | ||
50 | <refsynopsisdiv> | |
51 | <cmdsynopsis> | |
52 | <command>pam_systemd.so</command> | |
53 | </cmdsynopsis> | |
54 | </refsynopsisdiv> | |
55 | ||
56 | <refsect1> | |
57 | <title>Description</title> | |
58 | ||
59 | <para><command>pam_systemd</command> registers user | |
af3bccd6 LP |
60 | sessions in the systemd login manager |
61 | <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
62 | and hence the systemd control group hierarchy.</para> | |
160cd5c9 LP |
63 | |
64 | <para>On login, this module ensures the following:</para> | |
65 | ||
66 | <orderedlist> | |
af62c704 | 67 | <listitem><para>If it does not exist yet, the |
160cd5c9 | 68 | user runtime directory |
bb29785e | 69 | <filename>/run/user/$USER</filename> is |
160cd5c9 LP |
70 | created and its ownership changed to the user |
71 | that is logging in.</para></listitem> | |
72 | ||
c36eecdf | 73 | <listitem><para>The |
160cd5c9 LP |
74 | <varname>$XDG_SESSION_ID</varname> environment |
75 | variable is initialized. If auditing is | |
76 | available and | |
77 | <command>pam_loginuid.so</command> run before | |
af62c704 | 78 | this module (which is highly recommended), the |
160cd5c9 LP |
79 | variable is initialized from the auditing |
80 | session id | |
81 | (<filename>/proc/self/sessionid</filename>). Otherwise | |
82 | an independent session counter is | |
83 | used.</para></listitem> | |
84 | ||
c36eecdf | 85 | <listitem><para>A new control group |
160cd5c9 LP |
86 | <filename>/user/$USER/$XDG_SESSION_ID</filename> |
87 | is created and the login process moved into | |
88 | it.</para></listitem> | |
160cd5c9 LP |
89 | </orderedlist> |
90 | ||
91 | <para>On logout, this module ensures the following:</para> | |
92 | ||
93 | <orderedlist> | |
94 | <listitem><para>If | |
95 | <varname>$XDG_SESSION_ID</varname> is set and | |
c36eecdf | 96 | <option>kill-session-processes=1</option> specified, all |
160cd5c9 LP |
97 | remaining processes in the |
98 | <filename>/user/$USER/$XDG_SESSION_ID</filename> | |
99 | control group are killed and the control group | |
af62c704 | 100 | is removed.</para></listitem> |
160cd5c9 | 101 | |
c36eecdf | 102 | <listitem><para>If last subgroup of the |
160cd5c9 LP |
103 | <filename>/user/$USER</filename> control group |
104 | was removed the | |
105 | <varname>$XDG_RUNTIME_DIR</varname> directory | |
106 | and all its contents are | |
107 | removed, too.</para></listitem> | |
108 | </orderedlist> | |
109 | ||
110 | <para>If the system was not booted up with systemd as | |
af62c704 | 111 | init system, this module does nothing and immediately |
160cd5c9 LP |
112 | returns PAM_SUCCESS.</para> |
113 | ||
114 | </refsect1> | |
115 | ||
116 | <refsect1> | |
117 | <title>Options</title> | |
118 | ||
119 | <para>The following options are understood:</para> | |
120 | ||
121 | <variablelist> | |
122 | <varlistentry> | |
c36eecdf | 123 | <term><option>kill-session-processes=</option></term> |
160cd5c9 LP |
124 | |
125 | <listitem><para>Takes a boolean | |
126 | argument. If true, all processes | |
127 | created by the user during his session | |
128 | and from his session will be | |
129 | terminated when he logs out from his | |
130 | session.</para></listitem> | |
131 | </varlistentry> | |
132 | ||
3add4d21 | 133 | <varlistentry> |
e9fbc77c | 134 | <term><option>kill-only-users=</option></term> |
3add4d21 | 135 | |
e9fbc77c LP |
136 | <listitem><para>Takes a comma |
137 | separated list of user names or | |
138 | numeric user ids as argument. If this | |
139 | option is used the effect of the | |
c36eecdf | 140 | <option>kill-session-processes=</option> options |
e9fbc77c LP |
141 | will apply only to the listed |
142 | users. If this option is not used the | |
143 | option applies to all local | |
144 | users. Note that | |
145 | <option>kill-exclude-users=</option> | |
146 | takes precedence over this list and is | |
147 | hence subtracted from the list | |
148 | specified here.</para></listitem> | |
149 | </varlistentry> | |
150 | ||
151 | <varlistentry> | |
152 | <term><option>kill-exclude-users=</option></term> | |
153 | ||
154 | <listitem><para>Takes a comma | |
155 | separated list of user names or | |
156 | numeric user ids as argument. Users | |
157 | listed in this argument will not be | |
158 | subject to the effect of | |
c36eecdf | 159 | <option>kill-session-processes=</option>. Note |
e9fbc77c LP |
160 | that that this option takes precedence |
161 | over | |
162 | <option>kill-only-users=</option>, and | |
163 | hence whatever is listed for | |
164 | <option>kill-exclude-users=</option> | |
165 | is guaranteed to never be killed by | |
166 | this PAM module, independent of any | |
167 | other configuration | |
168 | setting.</para></listitem> | |
3add4d21 LP |
169 | </varlistentry> |
170 | ||
4611d776 LP |
171 | <varlistentry> |
172 | <term><option>controllers=</option></term> | |
173 | ||
174 | <listitem><para>Takes a comma | |
c36eecdf LP |
175 | separated list of control group |
176 | controllers in which hierarchies a | |
177 | user/session control group will be | |
178 | created by default for each user | |
179 | logging in, in addition to the control | |
180 | group in the named 'name=systemd' | |
9f7dad77 | 181 | hierarchy. If omitted, defaults to an |
c36eecdf | 182 | empty list.</para></listitem> |
b20c6be6 LP |
183 | </varlistentry> |
184 | ||
185 | <varlistentry> | |
186 | <term><option>reset-controllers=</option></term> | |
187 | ||
188 | <listitem><para>Takes a comma | |
c36eecdf LP |
189 | separated list of control group |
190 | controllers in which hierarchies the | |
191 | logged in processes will be reset to | |
192 | the root control | |
193 | group.</para></listitem> | |
4611d776 | 194 | </varlistentry> |
0e318cad MS |
195 | |
196 | <varlistentry> | |
197 | <term><option>debug=</option></term> | |
198 | ||
199 | <listitem><para>Takes a boolean | |
c36eecdf LP |
200 | argument. If yes, the module will log |
201 | debugging information as it | |
202 | operates.</para></listitem> | |
0e318cad | 203 | </varlistentry> |
160cd5c9 LP |
204 | </variablelist> |
205 | ||
c36eecdf LP |
206 | <para>Note that setting |
207 | <varname>kill-session-processes=1</varname> will break tools | |
208 | like | |
160cd5c9 LP |
209 | <citerefentry><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> |
210 | ||
c36eecdf LP |
211 | <para>Note that |
212 | <varname>kill-session-processes=1</varname> is a | |
213 | stricter version of | |
214 | <varname>KillUserProcesses=1</varname> which may be | |
215 | configured system-wide in | |
18b754d3 | 216 | <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The |
c36eecdf LP |
217 | former kills processes of a session as soon as it |
218 | ends, the latter kills processes as soon as the last | |
219 | session of the user ends.</para> | |
220 | ||
7874bcd6 | 221 | <para>If the options are omitted they default to |
c36eecdf | 222 | <option>kill-session-processes=0</option>, |
e9fbc77c | 223 | <option>kill-only-users=</option>, |
c36eecdf LP |
224 | <option>kill-exclude-users=</option>, |
225 | <option>controllers=</option>, | |
226 | <option>reset-controllers=</option>, | |
227 | <option>debug=no</option>.</para> | |
160cd5c9 LP |
228 | </refsect1> |
229 | ||
230 | <refsect1> | |
231 | <title>Module Types Provided</title> | |
232 | ||
233 | <para>Only <option>session</option> is provided.</para> | |
234 | </refsect1> | |
235 | ||
236 | <refsect1> | |
237 | <title>Environment</title> | |
238 | ||
58474090 LP |
239 | <para>The following environment variables are set for the processes of the user's session:</para> |
240 | ||
160cd5c9 LP |
241 | <variablelist> |
242 | <varlistentry> | |
243 | <term><varname>$XDG_SESSION_ID</varname></term> | |
244 | ||
245 | <listitem><para>A session identifier, | |
246 | suitable to be used in file names. The | |
247 | string itself should be considered | |
248 | opaque, although often it is just the | |
249 | audit session ID as reported by | |
250 | <filename>/proc/self/sessionid</filename>. Each | |
251 | ID will be assigned only once during | |
252 | machine uptime. It may hence be used | |
253 | to uniquely label files or other | |
254 | resources of this | |
255 | session.</para></listitem> | |
256 | </varlistentry> | |
257 | ||
258 | <varlistentry> | |
259 | <term><varname>$XDG_RUNTIME_DIR</varname></term> | |
260 | ||
261 | <listitem><para>Path to a user-private | |
262 | user-writable directory that is bound | |
263 | to the user login time on the | |
264 | machine. It is automatically created | |
265 | the first time a user logs in and | |
266 | removed on his final logout. If a user | |
267 | logs in twice at the same time, both | |
268 | sessions will see the same | |
269 | <varname>$XDG_RUNTIME_DIR</varname> | |
270 | and the same contents. If a user logs | |
271 | in once, then logs out again, and logs | |
272 | in again, the directory contents will | |
273 | have been lost in between, but | |
274 | applications should not rely on this | |
275 | behaviour and must be able to deal with | |
276 | stale files. To store session-private | |
277 | data in this directory the user should | |
278 | include the value of <varname>$XDG_SESSION_ID</varname> | |
279 | in the filename. This directory shall | |
280 | be used for runtime file system | |
281 | objects such as AF_UNIX sockets, | |
282 | FIFOs, PID files and similar. It is | |
283 | guaranteed that this directory is | |
284 | local and offers the greatest possible | |
285 | file system feature set the | |
286 | operating system | |
287 | provides.</para></listitem> | |
288 | </varlistentry> | |
289 | </variablelist> | |
290 | </refsect1> | |
291 | ||
292 | <refsect1> | |
293 | <title>Example</title> | |
294 | ||
295 | <programlisting>#%PAM-1.0 | |
296 | auth required pam_unix.so | |
297 | auth required pam_nologin.so | |
298 | account required pam_unix.so | |
299 | password required pam_unix.so | |
300 | session required pam_unix.so | |
301 | session required pam_loginuid.so | |
c36eecdf | 302 | session required pam_systemd.so kill-session-processes=1</programlisting> |
160cd5c9 LP |
303 | </refsect1> |
304 | ||
305 | <refsect1> | |
306 | <title>See Also</title> | |
307 | <para> | |
af3bccd6 LP |
308 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
309 | <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
310 | <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
311 | <citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
160cd5c9 LP |
312 | <citerefentry><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
313 | <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
314 | <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
af3bccd6 | 315 | <citerefentry><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
160cd5c9 LP |
316 | </para> |
317 | </refsect1> | |
318 | ||
319 | </refentry> |