From: Lennart Poettering Date: Tue, 19 Nov 2019 10:30:41 +0000 (+0100) Subject: man: document new pam_systemd features in man page X-Git-Tag: v245-rc1~116^2~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fc89f88e56cd13a0caec4fa2adfecf9ae9c04c0c;p=thirdparty%2Fsystemd.git man: document new pam_systemd features in man page This also updates the suggested PAM snippet in a number of way: 1. Be closer to the logic nowadays implemented in Fedora where the auth/account/password stacks are all finished off with pam_{deny|permit}.so 2. Make pam_unix.so just "sufficient" instead of "required" (paving ground for pam_systemd_home.so being hooked in as additional sufficient module. 3. Only do pam_nologin in the "account" stack, since it's about account validity really. 4. Use modern parameters to pam_unix when changing passwords, i.e. sha512 and shadow, and use already set up passwords (preparing ground for pam_systemd_home again) --- diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index 470c1a4c426..694371c2c47 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -32,6 +32,10 @@ systemd-logind.service8, and hence the systemd control group hierarchy. + The module also applies various resource management and runtime parameters to the new session, as + configured in the JSON User Record of the user, when + one is defined. + On login, this module — in conjunction with systemd-logind.service — ensures the following: @@ -48,7 +52,12 @@ A new systemd scope unit is created for the session. If this is the first concurrent session of the user, an implicit per-user slice unit below user.slice is automatically created and the scope placed into it. An instance of the system service user@.service, which runs the - systemd user manager instance, is started. + systemd user manager instance, is started. + + The $TZ, $EMAIL and $LANG + environment variables are configured for the user, based on the respective data from the user's JSON + record (if it is defined). Moreover, any environment variables explicitly configured in the user record + are imported, and the umask, nice level, and resource limits initialized. On logout, this module ensures the following: @@ -172,6 +181,15 @@ is not set if the current user is not the original user of the session. + + $TZ + $EMAIL + $LANG + + If a JSON user record is known for the user logging in these variables are + initialized from the respective data in the record. + + The following environment variables are read by the module and may be used by the PAM service to pass @@ -286,14 +304,23 @@ pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup); Example + Here's an example PAM configuration fragment that allows users sessions to be managed by + systemd-logind.service: + #%PAM-1.0 -auth required pam_unix.so -auth required pam_nologin.so -account required pam_unix.so -password required pam_unix.so -session required pam_unix.so -session required pam_loginuid.so -session required pam_systemd.so +auth sufficient pam_unix.so +auth required pam_deny.so + +account required pam_nologin.so +account sufficient pam_unix.so +account required pam_permit.so + +password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok +password required pam_deny.so + +-session optional pam_loginuid.so +-session optional pam_systemd.so +session required pam_unix.so @@ -303,6 +330,7 @@ session required pam_systemd.so systemd-logind.service8, logind.conf5, loginctl1, + pam_systemd_home8, pam.conf5, pam.d5, pam8,