<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="pam_systemd" conditional='HAVE_PAM'>
+<refentry id="pam_systemd" conditional='HAVE_PAM' xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>pam_systemd</title>
<varlistentry>
<term><varname>class=</varname></term>
- <listitem><para>Takes a string argument which sets the session class. The <varname>XDG_SESSION_CLASS</varname>
- environment variable (see below) takes precedence. One of <literal>user</literal>, <literal>greeter</literal>,
- <literal>lock-screen</literal> or <literal>background</literal>. See
- <citerefentry><refentrytitle>sd_session_get_class</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
- details about the session class.</para></listitem>
+ <listitem><para>Takes a string argument which sets the session class. The
+ <varname>XDG_SESSION_CLASS</varname> environment variable (see below) takes precedence. See
+ <citerefentry><refentrytitle>sd_session_get_class</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ for a way to query the class of a session. The following session classes are defined:</para>
+
+ <table>
+ <title>Session Classes</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname="name" />
+ <colspec colname="explanation" />
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Explanation</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><constant>user</constant></entry>
+ <entry>A regular interactive user session. This is the default class for sessions for which a TTY or X display is known at session registration time.</entry>
+ </row>
+ <row>
+ <entry><constant>user-early</constant></entry>
+ <entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <filename>systemd-user-sessions.service</filename>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
+ </row>
+ <row>
+ <entry><constant>user-incomplete</constant></entry>
+ <entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <command>ssh</command> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
+ </row>
+ <row>
+ <entry><constant>greeter</constant></entry>
+ <entry>Similar to <literal>user</literal> but for sessions that are spawned by a display manager ephemerally and which prompt the user for login credentials.</entry>
+ </row>
+ <row>
+ <entry><constant>lock-screen</constant></entry>
+ <entry>Similar to <literal>user</literal> but for sessions that are spawned by a display manager ephemerally and which show a lock screen that can be used to unlock locked user accounts or sessions.</entry>
+ </row>
+ <row>
+ <entry><constant>background</constant></entry>
+ <entry>Used for background sessions, such as those invoked by <command>cron</command> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
+ </row>
+ <row>
+ <entry><constant>background-light</constant></entry>
+ <entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <filename>user@.service</filename> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
+ </row>
+ <row>
+ <entry><constant>manager</constant></entry>
+ <entry>The <filename>user@.service</filename> service of the user is registered under this session class. (Added in v256.)</entry>
+ </row>
+ <row>
+ <entry><constant>manager-early</constant></entry>
+ <entry>Similar to <constant>manager</constant>, but for the root user. Compare with the <constant>user</constant> vs. <constant>user-early</constant> situation. (Added in v256.)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <xi:include href="version-info.xml" xpointer="v197"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Takes a string argument which sets the session type. The <varname>XDG_SESSION_TYPE</varname>
environment variable (see below) takes precedence. One of <literal>unspecified</literal>,
- <literal>tty</literal>, <literal>x11</literal>, <literal>wayland</literal> or <literal>mir</literal>. See
+ <literal>tty</literal>, <literal>x11</literal>, <literal>wayland</literal>, <literal>mir</literal>, or
+ <literal>web</literal>. See
<citerefentry><refentrytitle>sd_session_get_type</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
- details about the session type.</para></listitem>
+ details about the session type.</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
<varlistentry>
indicate the session desktop used, where this applies and if this information is available. For example:
<literal>GNOME</literal>, or <literal>KDE</literal>. It is recommended to use the same identifiers and
capitalization as for <varname>$XDG_CURRENT_DESKTOP</varname>, as defined by the <ulink
- url="http://standards.freedesktop.org/desktop-entry-spec/latest/">Desktop Entry
+ url="https://standards.freedesktop.org/desktop-entry-spec/latest/">Desktop Entry
Specification</ulink>. (However, note that the option only takes a single item, and not a colon-separated list
like <varname>$XDG_CURRENT_DESKTOP</varname>.) See
<citerefentry><refentrytitle>sd_session_get_desktop</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
- further details.</para></listitem>
+ further details.</para>
+
+ <xi:include href="version-info.xml" xpointer="v240"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>default-capability-bounding-set=</varname></term>
+ <term><varname>default-capability-ambient-set=</varname></term>
+
+ <listitem><para>Takes a comma-separated list of process capabilities
+ (e.g. <constant>CAP_WAKE_ALARM</constant>, <constant>CAP_BLOCK_SUSPEND</constant>, …) to set for the
+ invoked session's processes, if the user record does not encode appropriate sets of capabilities
+ directly. See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details on the capabilities concept. If not specified, the default bounding set is left as is
+ (i.e. usually contains the full set of capabilities). The default ambient set is set to
+ <constant>CAP_WAKE_ALARM</constant> for regular users if the PAM session is associated with a local
+ seat or if it is invoked for the <literal>systemd-user</literal> service. Otherwise defaults to the
+ empty set.</para>
+
+ <xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry>
<varlistentry>
similar. It is guaranteed that this directory is local and
offers the greatest possible file system feature set the
operating system provides. For further details, see the <ulink
- url="http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html">XDG
+ url="https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html">XDG
Base Directory Specification</ulink>. <varname>$XDG_RUNTIME_DIR</varname>
is not set if the current user is not the original user of the session.</para></listitem>
</varlistentry>
<term><varname>$LANG</varname></term>
<listitem><para>If a JSON user record is known for the user logging in these variables are
- initialized from the respective data in the record.</para></listitem>
+ initialized from the respective data in the record.</para>
+
+ <xi:include href="version-info.xml" xpointer="v245"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$SHELL_PROMPT_PREFIX</varname></term>
+ <term><varname>$SHELL_PROMPT_SUFFIX</varname></term>
+ <term><varname>$SHELL_WELCOME</varname></term>
+
+ <listitem><para>These environment variables are initialized from the service credentials
+ <literal>shell.prompt.prefix</literal>, <literal>shell.prompt.suffix</literal> and
+ <literal>shell.welcome</literal> if set. They are passed to the invoked session processes, where they
+ are imported into any shell prompt (specifically <varname>$SHELL_PROMPT_PREFIX</varname> is added as
+ prefix to <varname>$PS1</varname>, and <varname>$SHELL_PROMPT_SUFFIX</varname> as suffix) or printed
+ on screen when a shell first initializes.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
</variablelist>
<term><varname>$XDG_SESSION_TYPE</varname></term>
<listitem><para>The session type. This may be used instead of <varname>type=</varname> on the module parameter
- line, and is usually preferred.</para></listitem>
+ line, and is usually preferred.</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>$XDG_SESSION_CLASS</varname></term>
<listitem><para>The session class. This may be used instead of <varname>class=</varname> on the module parameter
- line, and is usually preferred.</para></listitem>
+ line, and is usually preferred.</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>$XDG_SESSION_DESKTOP</varname></term>
<listitem><para>The desktop identifier. This may be used instead of <varname>desktop=</varname> on the module
- parameter line, and is usually preferred.</para></listitem>
+ parameter line, and is usually preferred.</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>$XDG_SEAT</varname></term>
<listitem><para>The seat name the session shall be registered
- for, if any.</para></listitem>
+ for, if any.</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>The VT number the session shall be registered
for, if any. (Only applies to seats with a VT available, such
- as <literal>seat0</literal>)</para></listitem>
+ as <literal>seat0</literal>)</para>
+
+ <xi:include href="version-info.xml" xpointer="v209"/></listitem>
</varlistentry>
</variablelist>
<varlistentry>
<term><varname>systemd.memory_max=</varname></term>
- <listitem><para>Sets unit <varname>MemoryMax=</varname>.</para></listitem>
+ <listitem><para>Sets unit <varname>MemoryMax=</varname>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.tasks_max=</varname></term>
- <listitem><para>Sets unit <varname>TasksMax=</varname>.</para></listitem>
+ <listitem><para>Sets unit <varname>TasksMax=</varname>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.cpu_weight=</varname></term>
- <listitem><para>Sets unit <varname>CPUWeight=</varname>.</para></listitem>
+ <listitem><para>Sets unit <varname>CPUWeight=</varname>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.io_weight=</varname></term>
- <listitem><para>Sets unit <varname>IOWeight=</varname>.</para></listitem>
+ <listitem><para>Sets unit <varname>IOWeight=</varname>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.runtime_max_sec=</varname></term>
- <listitem><para>Sets unit <varname>RuntimeMaxSec=</varname>.</para></listitem>
+ <listitem><para>Sets unit <varname>RuntimeMaxSec=</varname>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v244"/></listitem>
</varlistentry>
</variablelist>
account required pam_permit.so
-password sufficient pam_systemd_home.so
-password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
-
+password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke
<refsect1>
<title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam_systemd_home</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- </para>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>pam_systemd_home</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ </simplelist></para>
</refsect1>
</refentry>