[thirdparty/systemd.git] / units / systemd-logind.service.in

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=User Login Management
Documentation=man:sd-login(3)
Documentation=man:systemd-logind.service(8)
Documentation=man:logind.conf(5)
Documentation=man:org.freedesktop.login1(5)

Wants=user.slice modprobe@drm.service
After=nss-user-lookup.target user.slice modprobe@drm.service

# Ask for the dbus socket.
Wants=dbus.socket
After=dbus.socket

[Service]
BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
DeviceAllow=block-* r
DeviceAllow=char-/dev/console rw
DeviceAllow=char-drm rw
DeviceAllow=char-input rw
DeviceAllow=char-tty rw
DeviceAllow=char-vcs rw
ExecStart={{LIBEXECDIR}}/systemd-logind
FileDescriptorStoreMax=768
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
# We don't use ProtectProc= since we need to look for usernames and tty for wall messages
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict
ReadWritePaths=/etc /run
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
RuntimeDirectoryPreserve=yes
StateDirectory=systemd/linger
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify-reload
{{SERVICE_WATCHDOG}}

# Increase the default a bit in order to allow many simultaneous logins since
# we keep one fd open per session.
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
Commit	Line	Data
db9ecf05	1	# SPDX-License-Identifier: LGPL-2.1-or-later
a7df2d1e	2	#
91f9dcaf LP	3	# This file is part of systemd.
	4	#
	5	# systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	6	# under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	7	# the Free Software Foundation; either version 2.1 of the License, or
91f9dcaf LP	8	# (at your option) any later version.
91f9dcaf LP	9
91f9dcaf	10	[Unit]
cd7e1e1a	11	Description=User Login Management
515736d0	12	Documentation=man:sd-login(3)
21006e0e ZJS	13	Documentation=man:systemd-logind.service(8)
	14	Documentation=man:logind.conf(5)
	15	Documentation=man:org.freedesktop.login1(5)
21006e0e	16
62507726 IL	17	Wants=user.slice modprobe@drm.service
62507726 IL	18	After=nss-user-lookup.target user.slice modprobe@drm.service
91f9dcaf	19
a132bef0	20	# Ask for the dbus socket.
8f9c6fe5 ZJS	21	Wants=dbus.socket
	22	After=dbus.socket
	23
91f9dcaf	24	[Service]
91f9dcaf	25	BusName=org.freedesktop.login1
11dce8e2	26	CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
10b1d42e	27	DeviceAllow=block-* r
9af28206 TM	28	DeviceAllow=char-/dev/console rw
	29	DeviceAllow=char-drm rw
	30	DeviceAllow=char-input rw
	31	DeviceAllow=char-tty rw
	32	DeviceAllow=char-vcs rw
b0d3095f	33	ExecStart={{LIBEXECDIR}}/systemd-logind
9d5b6901	34	FileDescriptorStoreMax=768
3ca9940c LP	35	IPAddressDeny=any
3ca9940c LP	36	LockPersonality=yes
40652ca4	37	MemoryDenyWriteExecute=yes
3ca9940c	38	NoNewPrivileges=yes
11dce8e2	39	PrivateTmp=yes
ba679b8d	40	# We don't use ProtectProc= since we need to look for usernames and tty for wall messages
cabc1c6d	41	ProtectClock=yes
11dce8e2 ZJS	42	ProtectControlGroups=yes
11dce8e2 ZJS	43	ProtectHome=yes
99894b86	44	ProtectHostname=yes
6168ae58	45	ProtectKernelLogs=yes
24da96a1	46	ProtectKernelModules=yes
11dce8e2 ZJS	47	ProtectSystem=strict
11dce8e2 ZJS	48	ReadWritePaths=/etc /run
3ca9940c LP	49	Restart=always
3ca9940c LP	50	RestartSec=0
dea63635	51	RestrictAddressFamilies=AF_UNIX AF_NETLINK
3ca9940c LP	52	RestrictNamespaces=yes
3ca9940c LP	53	RestrictRealtime=yes
62aa2924	54	RestrictSUIDSGID=yes
11dce8e2 ZJS	55	RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
11dce8e2 ZJS	56	RuntimeDirectoryPreserve=yes
19483c60	57	StateDirectory=systemd/linger
7f396e5f	58	SystemCallArchitectures=native
3ca9940c LP	59	SystemCallErrorNumber=EPERM
3ca9940c LP	60	SystemCallFilter=@system-service
5d71e463	61	Type=notify-reload
059cc610	62	{{SERVICE_WATCHDOG}}
f84aea43	63
c35ee02c LP	64	# Increase the default a bit in order to allow many simultaneous logins since
c35ee02c LP	65	# we keep one fd open per session.
059cc610	66	LimitNOFILE={{HIGH_RLIMIT_NOFILE}}