2020-11-09 07:23:58 +03:00
# SPDX-License-Identifier: LGPL-2.1-or-later
2017-11-18 19:35:03 +03:00
#
2011-06-17 02:15:02 +04:00
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
2012-04-12 02:20:58 +04:00
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
2011-06-17 02:15:02 +04:00
# (at your option) any later version.
[Unit]
2020-04-23 10:59:03 +03:00
Description = User Login Management
2020-10-15 21:49:18 +03:00
Documentation = man:sd-login(3)
2020-09-29 09:03:10 +03:00
Documentation = man:systemd-logind.service(8)
Documentation = man:logind.conf(5)
Documentation = man:org.freedesktop.login1(5)
2020-01-07 17:33:29 +03:00
Wants = user.slice modprobe@drm.service
After = nss-user-lookup.target user.slice modprobe@drm.service
2011-06-17 02:15:02 +04:00
2017-07-23 18:45:57 +03:00
# Ask for the dbus socket.
2014-02-15 02:01:43 +04:00
Wants = dbus.socket
After = dbus.socket
2011-06-17 02:15:02 +04:00
[Service]
BusName = org.freedesktop.login1
2018-12-18 17:05:48 +03:00
CapabilityBoundingSet = CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
2019-08-02 23:05:43 +03:00
DeviceAllow = block-* r
2019-05-01 15:28:36 +03:00
DeviceAllow = char-/dev/console rw
DeviceAllow = char-drm rw
DeviceAllow = char-input rw
DeviceAllow = char-tty rw
DeviceAllow = char-vcs rw
2021-05-16 12:55:36 +03:00
ExecStart = {{ROOTLIBEXECDIR}}/systemd-logind
2018-11-12 19:19:48 +03:00
FileDescriptorStoreMax = 512
IPAddressDeny = any
LockPersonality = yes
2016-06-08 15:23:37 +03:00
MemoryDenyWriteExecute = yes
2018-11-12 19:19:48 +03:00
NoNewPrivileges = yes
2018-12-18 17:05:48 +03:00
PrivateTmp = yes
2021-12-17 15:19:25 +03:00
# We don't use ProtectProc= since we need to look for usernames and tty for wall messages
2020-04-02 21:18:11 +03:00
ProtectClock = yes
2018-12-18 17:05:48 +03:00
ProtectControlGroups = yes
ProtectHome = yes
2019-02-19 01:30:12 +03:00
ProtectHostname = yes
2019-11-14 03:56:23 +03:00
ProtectKernelLogs = yes
2020-08-06 15:50:38 +03:00
ProtectKernelModules = yes
2018-12-18 17:05:48 +03:00
ProtectSystem = strict
ReadWritePaths = /etc /run
2018-11-12 19:19:48 +03:00
Restart = always
RestartSec = 0
2018-04-27 12:11:29 +03:00
RestrictAddressFamilies = AF_UNIX AF_NETLINK
2018-11-12 19:19:48 +03:00
RestrictNamespaces = yes
RestrictRealtime = yes
2019-03-20 21:52:20 +03:00
RestrictSUIDSGID = yes
2018-12-18 17:05:48 +03:00
RuntimeDirectory = systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
RuntimeDirectoryPreserve = yes
2019-04-28 12:17:59 +03:00
StateDirectory = systemd/linger
2017-02-09 00:32:37 +03:00
SystemCallArchitectures = native
2018-11-12 19:19:48 +03:00
SystemCallErrorNumber = EPERM
SystemCallFilter = @system-service
2021-05-16 12:55:36 +03:00
{ { S E R V I C E _ W A T C H D O G } }
2011-10-11 06:43:29 +04:00
2018-10-01 19:08:27 +03:00
# Increase the default a bit in order to allow many simultaneous logins since
# we keep one fd open per session.
2021-05-16 12:55:36 +03:00
LimitNOFILE = {{HIGH_RLIMIT_NOFILE}}