2010-06-24 02:11:04 +04:00
<?xml version='1.0'?> <!-- * - nxml - * -->
< !DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
2012-04-12 02:20:58 +04:00
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
2010-06-24 02:11:04 +04:00
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
2012-04-12 02:20:58 +04:00
Lesser General Public License for more details.
2010-06-24 02:11:04 +04:00
2012-04-12 02:20:58 +04:00
You should have received a copy of the GNU Lesser General Public License
2010-06-24 02:11:04 +04:00
along with systemd; If not, see <http: / / w w w . g n u . o r g / l i c e n s e s /> .
-->
<refentry id= "pam_systemd" >
<refentryinfo >
<title > pam_systemd</title>
<productname > systemd</productname>
<authorgroup >
<author >
<contrib > Developer</contrib>
<firstname > Lennart</firstname>
<surname > Poettering</surname>
<email > lennart@poettering.net</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta >
<refentrytitle > pam_systemd</refentrytitle>
<manvolnum > 8</manvolnum>
</refmeta>
<refnamediv >
<refname > pam_systemd</refname>
2012-06-01 02:14:07 +04:00
<refpurpose > Register user sessions in the systemd login manager</refpurpose>
2010-06-24 02:11:04 +04:00
</refnamediv>
<refsynopsisdiv >
2013-02-14 07:46:37 +04:00
<para > <filename > pam_systemd.so</filename> </para>
2010-06-24 02:11:04 +04:00
</refsynopsisdiv>
<refsect1 >
<title > Description</title>
<para > <command > pam_systemd</command> registers user
2012-06-01 02:14:07 +04:00
sessions in the systemd login manager
<citerefentry > <refentrytitle > systemd-logind.service</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry> ,
and hence the systemd control group hierarchy.</para>
2010-06-24 02:11:04 +04:00
<para > On login, this module ensures the following:</para>
<orderedlist >
2010-06-25 02:04:29 +04:00
<listitem > <para > If it does not exist yet, the
2010-06-24 02:11:04 +04:00
user runtime directory
2011-04-01 17:25:46 +04:00
<filename > /run/user/$USER</filename> is
2010-06-24 02:11:04 +04:00
created and its ownership changed to the user
that is logging in.</para> </listitem>
2011-06-29 04:46:20 +04:00
<listitem > <para > The
2010-06-24 02:11:04 +04:00
<varname > $XDG_SESSION_ID</varname> environment
variable is initialized. If auditing is
available and
<command > pam_loginuid.so</command> run before
2010-06-25 02:04:29 +04:00
this module (which is highly recommended), the
2010-06-24 02:11:04 +04:00
variable is initialized from the auditing
session id
(<filename > /proc/self/sessionid</filename> ). Otherwise
an independent session counter is
used.</para> </listitem>
2011-06-29 04:46:20 +04:00
<listitem > <para > A new control group
2010-06-24 02:11:04 +04:00
<filename > /user/$USER/$XDG_SESSION_ID</filename>
is created and the login process moved into
it.</para> </listitem>
</orderedlist>
<para > On logout, this module ensures the following:</para>
<orderedlist >
<listitem > <para > If
<varname > $XDG_SESSION_ID</varname> is set and
2011-06-29 04:46:20 +04:00
<option > kill-session-processes=1</option> specified, all
2010-06-24 02:11:04 +04:00
remaining processes in the
<filename > /user/$USER/$XDG_SESSION_ID</filename>
control group are killed and the control group
2010-06-25 02:04:29 +04:00
is removed.</para> </listitem>
2010-06-24 02:11:04 +04:00
2012-09-12 00:53:48 +04:00
<listitem > <para > If the last subgroup of the
2010-06-24 02:11:04 +04:00
<filename > /user/$USER</filename> control group
was removed the
<varname > $XDG_RUNTIME_DIR</varname> directory
and all its contents are
removed, too.</para> </listitem>
</orderedlist>
<para > If the system was not booted up with systemd as
2010-06-25 02:04:29 +04:00
init system, this module does nothing and immediately
2010-06-24 02:11:04 +04:00
returns PAM_SUCCESS.</para>
</refsect1>
<refsect1 >
<title > Options</title>
<para > The following options are understood:</para>
2013-01-26 19:47:16 +04:00
<variablelist class= 'pam-directives' >
2010-06-24 02:11:04 +04:00
<varlistentry >
2011-06-29 04:46:20 +04:00
<term > <option > kill-session-processes=</option> </term>
2010-06-24 02:11:04 +04:00
<listitem > <para > Takes a boolean
argument. If true, all processes
created by the user during his session
and from his session will be
terminated when he logs out from his
session.</para> </listitem>
</varlistentry>
2011-01-19 01:07:06 +03:00
<varlistentry >
2011-02-13 20:21:11 +03:00
<term > <option > kill-only-users=</option> </term>
2011-01-19 01:07:06 +03:00
2011-02-13 20:21:11 +03:00
<listitem > <para > Takes a comma
separated list of user names or
numeric user ids as argument. If this
option is used the effect of the
2011-06-29 04:46:20 +04:00
<option > kill-session-processes=</option> options
2011-02-13 20:21:11 +03:00
will apply only to the listed
users. If this option is not used the
option applies to all local
users. Note that
<option > kill-exclude-users=</option>
takes precedence over this list and is
hence subtracted from the list
specified here.</para> </listitem>
</varlistentry>
<varlistentry >
<term > <option > kill-exclude-users=</option> </term>
<listitem > <para > Takes a comma
separated list of user names or
numeric user ids as argument. Users
listed in this argument will not be
subject to the effect of
2011-06-29 04:46:20 +04:00
<option > kill-session-processes=</option> . Note
2012-09-04 21:24:16 +04:00
that this option takes precedence
2011-02-13 20:21:11 +03:00
over
<option > kill-only-users=</option> , and
hence whatever is listed for
<option > kill-exclude-users=</option>
is guaranteed to never be killed by
this PAM module, independent of any
other configuration
setting.</para> </listitem>
2011-01-19 01:07:06 +03:00
</varlistentry>
2010-11-18 02:38:41 +03:00
<varlistentry >
<term > <option > controllers=</option> </term>
<listitem > <para > Takes a comma
2011-06-29 04:46:20 +04:00
separated list of control group
controllers in which hierarchies a
user/session control group will be
created by default for each user
logging in, in addition to the control
group in the named 'name=systemd'
2011-06-18 17:40:20 +04:00
hierarchy. If omitted, defaults to an
2011-06-29 04:46:20 +04:00
empty list.</para> </listitem>
2011-02-04 14:46:38 +03:00
</varlistentry>
<varlistentry >
<term > <option > reset-controllers=</option> </term>
<listitem > <para > Takes a comma
2011-06-29 04:46:20 +04:00
separated list of control group
controllers in which hierarchies the
logged in processes will be reset to
the root control
group.</para> </listitem>
2010-11-18 02:38:41 +03:00
</varlistentry>
2011-05-27 03:29:34 +04:00
2012-12-24 17:25:58 +04:00
<varlistentry >
<term > <option > class=</option> </term>
<listitem > <para > Takes a string
argument which sets the session class.
The XDG_SESSION_CLASS environmental variable
takes precedence.</para> </listitem>
</varlistentry>
2011-05-27 03:29:34 +04:00
<varlistentry >
<term > <option > debug=</option> </term>
<listitem > <para > Takes a boolean
2011-06-29 04:46:20 +04:00
argument. If yes, the module will log
debugging information as it
operates.</para> </listitem>
2011-05-27 03:29:34 +04:00
</varlistentry>
2010-06-24 02:11:04 +04:00
</variablelist>
2011-06-29 04:46:20 +04:00
<para > Note that setting
<varname > kill-session-processes=1</varname> will break tools
like
2010-06-24 02:11:04 +04:00
<citerefentry > <refentrytitle > screen</refentrytitle> <manvolnum > 1</manvolnum> </citerefentry> .</para>
2011-06-29 04:46:20 +04:00
<para > Note that
<varname > kill-session-processes=1</varname> is a
stricter version of
<varname > KillUserProcesses=1</varname> which may be
configured system-wide in
2012-03-31 01:18:33 +04:00
<citerefentry > <refentrytitle > logind.conf</refentrytitle> <manvolnum > 5</manvolnum> </citerefentry> . The
2011-06-29 04:46:20 +04:00
former kills processes of a session as soon as it
ends, the latter kills processes as soon as the last
session of the user ends.</para>
2010-06-24 05:09:36 +04:00
<para > If the options are omitted they default to
2011-06-29 04:46:20 +04:00
<option > kill-session-processes=0</option> ,
2011-02-13 20:21:11 +03:00
<option > kill-only-users=</option> ,
2011-06-29 04:46:20 +04:00
<option > kill-exclude-users=</option> ,
<option > controllers=</option> ,
<option > reset-controllers=</option> ,
<option > debug=no</option> .</para>
2010-06-24 02:11:04 +04:00
</refsect1>
<refsect1 >
<title > Module Types Provided</title>
<para > Only <option > session</option> is provided.</para>
</refsect1>
<refsect1 >
<title > Environment</title>
2010-06-24 07:23:16 +04:00
<para > The following environment variables are set for the processes of the user's session:</para>
2013-01-26 19:47:16 +04:00
<variablelist class= 'environment-variables' >
2010-06-24 02:11:04 +04:00
<varlistentry >
<term > <varname > $XDG_SESSION_ID</varname> </term>
<listitem > <para > A session identifier,
suitable to be used in file names. The
string itself should be considered
opaque, although often it is just the
audit session ID as reported by
<filename > /proc/self/sessionid</filename> . Each
ID will be assigned only once during
machine uptime. It may hence be used
to uniquely label files or other
resources of this
session.</para> </listitem>
</varlistentry>
<varlistentry >
<term > <varname > $XDG_RUNTIME_DIR</varname> </term>
<listitem > <para > Path to a user-private
user-writable directory that is bound
to the user login time on the
machine. It is automatically created
the first time a user logs in and
removed on his final logout. If a user
logs in twice at the same time, both
sessions will see the same
<varname > $XDG_RUNTIME_DIR</varname>
and the same contents. If a user logs
in once, then logs out again, and logs
in again, the directory contents will
have been lost in between, but
applications should not rely on this
2012-09-04 21:24:16 +04:00
behavior and must be able to deal with
2010-06-24 02:11:04 +04:00
stale files. To store session-private
data in this directory the user should
include the value of <varname > $XDG_SESSION_ID</varname>
in the filename. This directory shall
be used for runtime file system
objects such as AF_UNIX sockets,
FIFOs, PID files and similar. It is
guaranteed that this directory is
local and offers the greatest possible
file system feature set the
operating system
provides.</para> </listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 >
<title > Example</title>
<programlisting > #%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
2011-06-29 04:46:20 +04:00
session required pam_systemd.so kill-session-processes=1</programlisting>
2010-06-24 02:11:04 +04:00
</refsect1>
<refsect1 >
<title > See Also</title>
<para >
2012-06-01 02:14:07 +04:00
<citerefentry > <refentrytitle > systemd</refentrytitle> <manvolnum > 1</manvolnum> </citerefentry> ,
<citerefentry > <refentrytitle > systemd-logind.service</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry> ,
<citerefentry > <refentrytitle > logind.conf</refentrytitle> <manvolnum > 5</manvolnum> </citerefentry> ,
<citerefentry > <refentrytitle > loginctl</refentrytitle> <manvolnum > 1</manvolnum> </citerefentry> ,
2010-06-24 02:11:04 +04:00
<citerefentry > <refentrytitle > pam.conf</refentrytitle> <manvolnum > 5</manvolnum> </citerefentry> ,
<citerefentry > <refentrytitle > pam.d</refentrytitle> <manvolnum > 5</manvolnum> </citerefentry> ,
<citerefentry > <refentrytitle > pam</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry> ,
2012-06-01 02:14:07 +04:00
<citerefentry > <refentrytitle > pam_loginuid</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry>
2010-06-24 02:11:04 +04:00
</para>
</refsect1>
</refentry>