[thirdparty/systemd.git] / man / pam_systemd.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="pam_systemd">

        <refentryinfo>
                <title>pam_systemd</title>
                <productname>systemd</productname>

                <authorgroup>
                        <author>
                                <contrib>Developer</contrib>
                                <firstname>Lennart</firstname>
                                <surname>Poettering</surname>
                                <email>lennart@poettering.net</email>
                        </author>
                </authorgroup>
        </refentryinfo>

        <refmeta>
                <refentrytitle>pam_systemd</refentrytitle>
                <manvolnum>8</manvolnum>
        </refmeta>

        <refnamediv>
                <refname>pam_systemd</refname>
                <refpurpose>Register user sessions in the systemd login manager</refpurpose>
        </refnamediv>

        <refsynopsisdiv>
                <cmdsynopsis>
                        <command>pam_systemd.so</command>
                </cmdsynopsis>
        </refsynopsisdiv>

        <refsect1>
                <title>Description</title>

                <para><command>pam_systemd</command> registers user
                sessions in the systemd login manager
                <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                and hence the systemd control group hierarchy.</para>

                <para>On login, this module ensures the following:</para>

                <orderedlist>
                        <listitem><para>If it does not exist yet, the
                        user runtime directory
                        <filename>/run/user/$USER</filename> is
                        created and its ownership changed to the user
                        that is logging in.</para></listitem>

                        <listitem><para>The
                        <varname>$XDG_SESSION_ID</varname> environment
                        variable is initialized. If auditing is
                        available and
                        <command>pam_loginuid.so</command> run before
                        this module (which is highly recommended), the
                        variable is initialized from the auditing
                        session id
                        (<filename>/proc/self/sessionid</filename>). Otherwise
                        an independent session counter is
                        used.</para></listitem>

                        <listitem><para>A new control group
                        <filename>/user/$USER/$XDG_SESSION_ID</filename>
                        is created and the login process moved into
                        it.</para></listitem>
                </orderedlist>

                <para>On logout, this module ensures the following:</para>

                <orderedlist>
                        <listitem><para>If
                        <varname>$XDG_SESSION_ID</varname> is set and
                        <option>kill-session-processes=1</option> specified, all
                        remaining processes in the
                        <filename>/user/$USER/$XDG_SESSION_ID</filename>
                        control group are killed and the control group
                        is removed.</para></listitem>

                        <listitem><para>If last subgroup of the
                        <filename>/user/$USER</filename> control group
                        was removed the
                        <varname>$XDG_RUNTIME_DIR</varname> directory
                        and all its contents are
                        removed, too.</para></listitem>
                </orderedlist>

                <para>If the system was not booted up with systemd as
                init system, this module does nothing and immediately
                returns PAM_SUCCESS.</para>

        </refsect1>

        <refsect1>
                <title>Options</title>

                <para>The following options are understood:</para>

                <variablelist>
                        <varlistentry>
                                <term><option>kill-session-processes=</option></term>

                                <listitem><para>Takes a boolean
                                argument. If true, all processes
                                created by the user during his session
                                and from his session will be
                                terminated when he logs out from his
                                session.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>kill-only-users=</option></term>

                                <listitem><para>Takes a comma
                                separated list of user names or
                                numeric user ids as argument. If this
                                option is used the effect of the
                                <option>kill-session-processes=</option> options
                                will apply only to the listed
                                users. If this option is not used the
                                option applies to all local
                                users. Note that
                                <option>kill-exclude-users=</option>
                                takes precedence over this list and is
                                hence subtracted from the list
                                specified here.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>kill-exclude-users=</option></term>

                                <listitem><para>Takes a comma
                                separated list of user names or
                                numeric user ids as argument. Users
                                listed in this argument will not be
                                subject to the effect of
                                <option>kill-session-processes=</option>.  Note
                                that that this option takes precedence
                                over
                                <option>kill-only-users=</option>, and
                                hence whatever is listed for
                                <option>kill-exclude-users=</option>
                                is guaranteed to never be killed by
                                this PAM module, independent of any
                                other configuration
                                setting.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>controllers=</option></term>

                                <listitem><para>Takes a comma
                                separated list of control group
                                controllers in which hierarchies a
                                user/session control group will be
                                created by default for each user
                                logging in, in addition to the control
                                group in the named 'name=systemd'
                                hierarchy. If omitted, defaults to an
                                empty list.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>reset-controllers=</option></term>

                                <listitem><para>Takes a comma
                                separated list of control group
                                controllers in which hierarchies the
                                logged in processes will be reset to
                                the root control
                                group.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>debug=</option></term>

                                <listitem><para>Takes a boolean
                                argument. If yes, the module will log
                                debugging information as it
                                operates.</para></listitem>
                        </varlistentry>
                </variablelist>

                <para>Note that setting
                <varname>kill-session-processes=1</varname> will break tools
                like
                <citerefentry><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>

                <para>Note that
                <varname>kill-session-processes=1</varname> is a
                stricter version of
                <varname>KillUserProcesses=1</varname> which may be
                configured system-wide in
                <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
                former kills processes of a session as soon as it
                ends, the latter kills processes as soon as the last
                session of the user ends.</para>

                <para>If the options are omitted they default to
                <option>kill-session-processes=0</option>,
                <option>kill-only-users=</option>,
                <option>kill-exclude-users=</option>,
                <option>controllers=</option>,
                <option>reset-controllers=</option>,
                <option>debug=no</option>.</para>
        </refsect1>

        <refsect1>
                <title>Module Types Provided</title>

                <para>Only <option>session</option> is provided.</para>
        </refsect1>

        <refsect1>
                <title>Environment</title>

                <para>The following environment variables are set for the processes of the user's session:</para>

                <variablelist>
                        <varlistentry>
                                <term><varname>$XDG_SESSION_ID</varname></term>

                                <listitem><para>A session identifier,
                                suitable to be used in file names. The
                                string itself should be considered
                                opaque, although often it is just the
                                audit session ID as reported by
                                <filename>/proc/self/sessionid</filename>. Each
                                ID will be assigned only once during
                                machine uptime. It may hence be used
                                to uniquely label files or other
                                resources of this
                                session.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><varname>$XDG_RUNTIME_DIR</varname></term>

                                <listitem><para>Path to a user-private
                                user-writable directory that is bound
                                to the user login time on the
                                machine. It is automatically created
                                the first time a user logs in and
                                removed on his final logout. If a user
                                logs in twice at the same time, both
                                sessions will see the same
                                <varname>$XDG_RUNTIME_DIR</varname>
                                and the same contents. If a user logs
                                in once, then logs out again, and logs
                                in again, the directory contents will
                                have been lost in between, but
                                applications should not rely on this
                                behaviour and must be able to deal with
                                stale files. To store session-private
                                data in this directory the user should
                                include the value of <varname>$XDG_SESSION_ID</varname>
                                in the filename. This directory shall
                                be used for runtime file system
                                objects such as AF_UNIX sockets,
                                FIFOs, PID files and similar. It is
                                guaranteed that this directory is
                                local and offers the greatest possible
                                file system feature set the
                                operating system
                                provides.</para></listitem>
                        </varlistentry>
                </variablelist>
        </refsect1>

        <refsect1>
                <title>Example</title>

                <programlisting>#%PAM-1.0
auth       required     pam_unix.so
auth       required     pam_nologin.so
account    required     pam_unix.so
password   required     pam_unix.so
session    required     pam_unix.so
session    required     pam_loginuid.so
session    required     pam_systemd.so kill-session-processes=1</programlisting>
        </refsect1>

        <refsect1>
                <title>See Also</title>
                <para>
                        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                </para>
        </refsect1>

</refentry>
Commit	Line	Data
160cd5c9 LP	1	<?xml version='1.0'?> <!---nxml--->
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4
	5	<!--
	6	This file is part of systemd.
	7
	8	Copyright 2010 Lennart Poettering
	9
	10	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	11	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	12	the Free Software Foundation; either version 2.1 of the License, or
160cd5c9 LP	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	18	Lesser General Public License for more details.
160cd5c9	19
5430f7f2	20	You should have received a copy of the GNU Lesser General Public License
160cd5c9 LP	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	-->
	23
	24	<refentry id="pam_systemd">
	25
	26	<refentryinfo>
	27	<title>pam_systemd</title>
	28	<productname>systemd</productname>
	29
	30	<authorgroup>
	31	<author>
	32	<contrib>Developer</contrib>
	33	<firstname>Lennart</firstname>
	34	<surname>Poettering</surname>
	35	<email>lennart@poettering.net</email>
	36	</author>
	37	</authorgroup>
	38	</refentryinfo>
	39
	40	<refmeta>
	41	<refentrytitle>pam_systemd</refentrytitle>
	42	<manvolnum>8</manvolnum>
	43	</refmeta>
	44
	45	<refnamediv>
	46	<refname>pam_systemd</refname>
af3bccd6	47	<refpurpose>Register user sessions in the systemd login manager</refpurpose>
160cd5c9 LP	48	</refnamediv>
	49
	50	<refsynopsisdiv>
	51	<cmdsynopsis>
	52	<command>pam_systemd.so</command>
	53	</cmdsynopsis>
	54	</refsynopsisdiv>
	55
	56	<refsect1>
	57	<title>Description</title>
	58
	59	<para><command>pam_systemd</command> registers user
af3bccd6 LP	60	sessions in the systemd login manager
	61	<citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	62	and hence the systemd control group hierarchy.</para>
160cd5c9 LP	63
	64	<para>On login, this module ensures the following:</para>
	65
	66	<orderedlist>
af62c704	67	<listitem><para>If it does not exist yet, the
160cd5c9	68	user runtime directory
bb29785e	69	<filename>/run/user/$USER</filename> is
160cd5c9 LP	70	created and its ownership changed to the user
	71	that is logging in.</para></listitem>
	72
c36eecdf	73	<listitem><para>The
160cd5c9 LP	74	<varname>$XDG_SESSION_ID</varname> environment
	75	variable is initialized. If auditing is
	76	available and
	77	<command>pam_loginuid.so</command> run before
af62c704	78	this module (which is highly recommended), the
160cd5c9 LP	79	variable is initialized from the auditing
	80	session id
	81	(<filename>/proc/self/sessionid</filename>). Otherwise
	82	an independent session counter is
	83	used.</para></listitem>
	84
c36eecdf	85	<listitem><para>A new control group
160cd5c9 LP	86	<filename>/user/$USER/$XDG_SESSION_ID</filename>
	87	is created and the login process moved into
	88	it.</para></listitem>
160cd5c9 LP	89	</orderedlist>
	90
	91	<para>On logout, this module ensures the following:</para>
	92
	93	<orderedlist>
	94	<listitem><para>If
	95	<varname>$XDG_SESSION_ID</varname> is set and
c36eecdf	96	<option>kill-session-processes=1</option> specified, all
160cd5c9 LP	97	remaining processes in the
	98	<filename>/user/$USER/$XDG_SESSION_ID</filename>
	99	control group are killed and the control group
af62c704	100	is removed.</para></listitem>
160cd5c9	101
c36eecdf	102	<listitem><para>If last subgroup of the
160cd5c9 LP	103	<filename>/user/$USER</filename> control group
	104	was removed the
	105	<varname>$XDG_RUNTIME_DIR</varname> directory
	106	and all its contents are
	107	removed, too.</para></listitem>
	108	</orderedlist>
	109
	110	<para>If the system was not booted up with systemd as
af62c704	111	init system, this module does nothing and immediately
160cd5c9 LP	112	returns PAM_SUCCESS.</para>
	113
	114	</refsect1>
	115
	116	<refsect1>
	117	<title>Options</title>
	118
	119	<para>The following options are understood:</para>
	120
	121	<variablelist>
	122	<varlistentry>
c36eecdf	123	<term><option>kill-session-processes=</option></term>
160cd5c9 LP	124
	125	<listitem><para>Takes a boolean
	126	argument. If true, all processes
	127	created by the user during his session
	128	and from his session will be
	129	terminated when he logs out from his
	130	session.</para></listitem>
	131	</varlistentry>
	132
3add4d21	133	<varlistentry>
e9fbc77c	134	<term><option>kill-only-users=</option></term>
3add4d21	135
e9fbc77c LP	136	<listitem><para>Takes a comma
	137	separated list of user names or
	138	numeric user ids as argument. If this
	139	option is used the effect of the
c36eecdf	140	<option>kill-session-processes=</option> options
e9fbc77c LP	141	will apply only to the listed
	142	users. If this option is not used the
	143	option applies to all local
	144	users. Note that
	145	<option>kill-exclude-users=</option>
	146	takes precedence over this list and is
	147	hence subtracted from the list
	148	specified here.</para></listitem>
	149	</varlistentry>
	150
	151	<varlistentry>
	152	<term><option>kill-exclude-users=</option></term>
	153
	154	<listitem><para>Takes a comma
	155	separated list of user names or
	156	numeric user ids as argument. Users
	157	listed in this argument will not be
	158	subject to the effect of
c36eecdf	159	<option>kill-session-processes=</option>. Note
e9fbc77c LP	160	that that this option takes precedence
	161	over
	162	<option>kill-only-users=</option>, and
	163	hence whatever is listed for
	164	<option>kill-exclude-users=</option>
	165	is guaranteed to never be killed by
	166	this PAM module, independent of any
	167	other configuration
	168	setting.</para></listitem>
3add4d21 LP	169	</varlistentry>
3add4d21 LP	170
4611d776 LP	171	<varlistentry>
	172	<term><option>controllers=</option></term>
	173
	174	<listitem><para>Takes a comma
c36eecdf LP	175	separated list of control group
	176	controllers in which hierarchies a
	177	user/session control group will be
	178	created by default for each user
	179	logging in, in addition to the control
	180	group in the named 'name=systemd'
9f7dad77	181	hierarchy. If omitted, defaults to an
c36eecdf	182	empty list.</para></listitem>
b20c6be6 LP	183	</varlistentry>
	184
	185	<varlistentry>
	186	<term><option>reset-controllers=</option></term>
	187
	188	<listitem><para>Takes a comma
c36eecdf LP	189	separated list of control group
	190	controllers in which hierarchies the
	191	logged in processes will be reset to
	192	the root control
	193	group.</para></listitem>
4611d776	194	</varlistentry>
0e318cad MS	195
	196	<varlistentry>
	197	<term><option>debug=</option></term>
	198
	199	<listitem><para>Takes a boolean
c36eecdf LP	200	argument. If yes, the module will log
	201	debugging information as it
	202	operates.</para></listitem>
0e318cad	203	</varlistentry>
160cd5c9 LP	204	</variablelist>
160cd5c9 LP	205
c36eecdf LP	206	<para>Note that setting
	207	<varname>kill-session-processes=1</varname> will break tools
	208	like
160cd5c9 LP	209	<citerefentry><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
160cd5c9 LP	210
c36eecdf LP	211	<para>Note that
	212	<varname>kill-session-processes=1</varname> is a
	213	stricter version of
	214	<varname>KillUserProcesses=1</varname> which may be
	215	configured system-wide in
18b754d3	216	<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
c36eecdf LP	217	former kills processes of a session as soon as it
	218	ends, the latter kills processes as soon as the last
	219	session of the user ends.</para>
	220
7874bcd6	221	<para>If the options are omitted they default to
c36eecdf	222	<option>kill-session-processes=0</option>,
e9fbc77c	223	<option>kill-only-users=</option>,
c36eecdf LP	224	<option>kill-exclude-users=</option>,
	225	<option>controllers=</option>,
	226	<option>reset-controllers=</option>,
	227	<option>debug=no</option>.</para>
160cd5c9 LP	228	</refsect1>
	229
	230	<refsect1>
	231	<title>Module Types Provided</title>
	232
	233	<para>Only <option>session</option> is provided.</para>
	234	</refsect1>
	235
	236	<refsect1>
	237	<title>Environment</title>
	238
58474090 LP	239	<para>The following environment variables are set for the processes of the user's session:</para>
58474090 LP	240
160cd5c9 LP	241	<variablelist>
	242	<varlistentry>
	243	<term><varname>$XDG_SESSION_ID</varname></term>
	244
	245	<listitem><para>A session identifier,
	246	suitable to be used in file names. The
	247	string itself should be considered
	248	opaque, although often it is just the
	249	audit session ID as reported by
	250	<filename>/proc/self/sessionid</filename>. Each
	251	ID will be assigned only once during
	252	machine uptime. It may hence be used
	253	to uniquely label files or other
	254	resources of this
	255	session.</para></listitem>
	256	</varlistentry>
	257
	258	<varlistentry>
	259	<term><varname>$XDG_RUNTIME_DIR</varname></term>
	260
	261	<listitem><para>Path to a user-private
	262	user-writable directory that is bound
	263	to the user login time on the
	264	machine. It is automatically created
	265	the first time a user logs in and
	266	removed on his final logout. If a user
	267	logs in twice at the same time, both
	268	sessions will see the same
	269	<varname>$XDG_RUNTIME_DIR</varname>
	270	and the same contents. If a user logs
	271	in once, then logs out again, and logs
	272	in again, the directory contents will
	273	have been lost in between, but
	274	applications should not rely on this
	275	behaviour and must be able to deal with
	276	stale files. To store session-private
	277	data in this directory the user should
	278	include the value of <varname>$XDG_SESSION_ID</varname>
	279	in the filename. This directory shall
	280	be used for runtime file system
	281	objects such as AF_UNIX sockets,
	282	FIFOs, PID files and similar. It is
	283	guaranteed that this directory is
	284	local and offers the greatest possible
	285	file system feature set the
	286	operating system
	287	provides.</para></listitem>
	288	</varlistentry>
	289	</variablelist>
	290	</refsect1>
	291
	292	<refsect1>
	293	<title>Example</title>
	294
	295	<programlisting>#%PAM-1.0
	296	auth required pam_unix.so
	297	auth required pam_nologin.so
	298	account required pam_unix.so
	299	password required pam_unix.so
	300	session required pam_unix.so
	301	session required pam_loginuid.so
c36eecdf	302	session required pam_systemd.so kill-session-processes=1</programlisting>
160cd5c9 LP	303	</refsect1>
	304
	305	<refsect1>
	306	<title>See Also</title>
	307	<para>
af3bccd6 LP	308	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	309	<citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	310	<citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	311	<citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
160cd5c9 LP	312	<citerefentry><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	313	<citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	314	<citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
af3bccd6	315	<citerefentry><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>
160cd5c9 LP	316	</para>
	317	</refsect1>
	318
	319	</refentry>