]> git.proxmox.com Git - systemd.git/blob - man/pam_systemd.html
projects / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Imported Upstream version 204
[systemd.git] / man / pam_systemd.html
1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>pam_systemd</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
2 a.headerlink {
3 color: #c60f0f;
4 font-size: 0.8em;
5 padding: 0 4px 0 4px;
6 text-decoration: none;
7 visibility: hidden;
8 }
9
10 a.headerlink:hover {
11 background-color: #c60f0f;
12 color: white;
13 }
14
15 h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
16 visibility: visible;
17 }
18 </style><a href="index.html">Index </a>·
19 <a href="systemd.directives.html">Directives </a>·
20 <a href="../python-systemd/index.html">Python </a>·
21 <a href="../libudev/index.html">libudev </a>·
22 <a href="../libudev/index.html">gudev </a><span style="float:right">systemd 204</span><hr><div class="refentry"><a name="pam_systemd"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pam_systemd — Register user sessions in the systemd login manager</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">pam_systemd.so</code></p></div><div class="refsect1"><a name="idm259767374112"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description"></a></h2><p><span class="command"><strong>pam_systemd</strong></span> registers user
23 sessions in the systemd login manager
24 <a href="systemd-logind.service.html"><span class="citerefentry"><span class="refentrytitle">systemd-logind.service</span>(8)</span></a>,
25 and hence the systemd control group hierarchy.</p><p>On login, this module ensures the following:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>If it does not exist yet, the
26 user runtime directory
27 <code class="filename">/run/user/$USER</code> is
28 created and its ownership changed to the user
29 that is logging in.</p></li><li class="listitem"><p>The
30 <code class="varname">$XDG_SESSION_ID</code> environment
31 variable is initialized. If auditing is
32 available and
33 <span class="command"><strong>pam_loginuid.so</strong></span> run before
34 this module (which is highly recommended), the
35 variable is initialized from the auditing
36 session id
37 (<code class="filename">/proc/self/sessionid</code>). Otherwise
38 an independent session counter is
39 used.</p></li><li class="listitem"><p>A new control group
40 <code class="filename">/user/$USER/$XDG_SESSION_ID</code>
41 is created and the login process moved into
42 it.</p></li></ol></div><p>On logout, this module ensures the following:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>If
43 <code class="varname">$XDG_SESSION_ID</code> is set and
44 <code class="option">kill-session-processes=1</code> specified, all
45 remaining processes in the
46 <code class="filename">/user/$USER/$XDG_SESSION_ID</code>
47 control group are killed and the control group
48 is removed.</p></li><li class="listitem"><p>If the last subgroup of the
49 <code class="filename">/user/$USER</code> control group
50 was removed the
51 <code class="varname">$XDG_RUNTIME_DIR</code> directory
52 and all its contents are
53 removed, too.</p></li></ol></div><p>If the system was not booted up with systemd as
54 init system, this module does nothing and immediately
55 returns PAM_SUCCESS.</p></div><div class="refsect1"><a name="idm259766054704"></a><h2 id="Options">Options<a class="headerlink" title="Permalink to this headline" href="#Options"></a></h2><p>The following options are understood:</p><div class="variablelist"><dl class="variablelist"><dt id="kill-session-processes="><span class="term"><code class="option">kill-session-processes=</code></span><a class="headerlink" title="Permalink to this term" href="#kill-session-processes="></a></dt><dd><p>Takes a boolean
56 argument. If true, all processes
57 created by the user during his session
58 and from his session will be
59 terminated when he logs out from his
60 session.</p></dd><dt id="kill-only-users="><span class="term"><code class="option">kill-only-users=</code></span><a class="headerlink" title="Permalink to this term" href="#kill-only-users="></a></dt><dd><p>Takes a comma
61 separated list of user names or
62 numeric user ids as argument. If this
63 option is used the effect of the
64 <code class="option">kill-session-processes=</code> options
65 will apply only to the listed
66 users. If this option is not used the
67 option applies to all local
68 users. Note that
69 <code class="option">kill-exclude-users=</code>
70 takes precedence over this list and is
71 hence subtracted from the list
72 specified here.</p></dd><dt id="kill-exclude-users="><span class="term"><code class="option">kill-exclude-users=</code></span><a class="headerlink" title="Permalink to this term" href="#kill-exclude-users="></a></dt><dd><p>Takes a comma
73 separated list of user names or
74 numeric user ids as argument. Users
75 listed in this argument will not be
76 subject to the effect of
77 <code class="option">kill-session-processes=</code>. Note
78 that this option takes precedence
79 over
80 <code class="option">kill-only-users=</code>, and
81 hence whatever is listed for
82 <code class="option">kill-exclude-users=</code>
83 is guaranteed to never be killed by
84 this PAM module, independent of any
85 other configuration
86 setting.</p></dd><dt id="controllers="><span class="term"><code class="option">controllers=</code></span><a class="headerlink" title="Permalink to this term" href="#controllers="></a></dt><dd><p>Takes a comma
87 separated list of control group
88 controllers in which hierarchies a
89 user/session control group will be
90 created by default for each user
91 logging in, in addition to the control
92 group in the named 'name=systemd'
93 hierarchy. If omitted, defaults to an
94 empty list.</p></dd><dt id="reset-controllers="><span class="term"><code class="option">reset-controllers=</code></span><a class="headerlink" title="Permalink to this term" href="#reset-controllers="></a></dt><dd><p>Takes a comma
95 separated list of control group
96 controllers in which hierarchies the
97 logged in processes will be reset to
98 the root control
99 group.</p></dd><dt id="class="><span class="term"><code class="option">class=</code></span><a class="headerlink" title="Permalink to this term" href="#class="></a></dt><dd><p>Takes a string
100 argument which sets the session class.
101 The XDG_SESSION_CLASS environmental variable
102 takes precedence.</p></dd><dt id="debug="><span class="term"><code class="option">debug=</code></span><a class="headerlink" title="Permalink to this term" href="#debug="></a></dt><dd><p>Takes a boolean
103 argument. If yes, the module will log
104 debugging information as it
105 operates.</p></dd></dl></div><p>Note that setting
106 <code class="varname">kill-session-processes=1</code> will break tools
107 like
108 <a href="screen.html"><span class="citerefentry"><span class="refentrytitle">screen</span>(1)</span></a>.</p><p>Note that
109 <code class="varname">kill-session-processes=1</code> is a
110 stricter version of
111 <code class="varname">KillUserProcesses=1</code> which may be
112 configured system-wide in
113 <a href="logind.conf.html"><span class="citerefentry"><span class="refentrytitle">logind.conf</span>(5)</span></a>. The
114 former kills processes of a session as soon as it
115 ends, the latter kills processes as soon as the last
116 session of the user ends.</p><p>If the options are omitted they default to
117 <code class="option">kill-session-processes=0</code>,
118 <code class="option">kill-only-users=</code>,
119 <code class="option">kill-exclude-users=</code>,
120 <code class="option">controllers=</code>,
121 <code class="option">reset-controllers=</code>,
122 <code class="option">debug=no</code>.</p></div><div class="refsect1"><a name="idm259769926800"></a><h2 id="Module Types Provided">Module Types Provided<a class="headerlink" title="Permalink to this headline" href="#Module%20Types%20Provided"></a></h2><p>Only <code class="option">session</code> is provided.</p></div><div class="refsect1"><a name="idm259769925136"></a><h2 id="Environment">Environment<a class="headerlink" title="Permalink to this headline" href="#Environment"></a></h2><p>The following environment variables are set for the processes of the user's session:</p><div class="variablelist"><dl class="variablelist"><dt id="$XDG_SESSION_ID"><span class="term"><code class="varname">$XDG_SESSION_ID</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_SESSION_ID"></a></dt><dd><p>A session identifier,
123 suitable to be used in file names. The
124 string itself should be considered
125 opaque, although often it is just the
126 audit session ID as reported by
127 <code class="filename">/proc/self/sessionid</code>. Each
128 ID will be assigned only once during
129 machine uptime. It may hence be used
130 to uniquely label files or other
131 resources of this
132 session.</p></dd><dt id="$XDG_RUNTIME_DIR"><span class="term"><code class="varname">$XDG_RUNTIME_DIR</code></span><a class="headerlink" title="Permalink to this term" href="#%24XDG_RUNTIME_DIR"></a></dt><dd><p>Path to a user-private
133 user-writable directory that is bound
134 to the user login time on the
135 machine. It is automatically created
136 the first time a user logs in and
137 removed on his final logout. If a user
138 logs in twice at the same time, both
139 sessions will see the same
140 <code class="varname">$XDG_RUNTIME_DIR</code>
141 and the same contents. If a user logs
142 in once, then logs out again, and logs
143 in again, the directory contents will
144 have been lost in between, but
145 applications should not rely on this
146 behavior and must be able to deal with
147 stale files. To store session-private
148 data in this directory the user should
149 include the value of <code class="varname">$XDG_SESSION_ID</code>
150 in the filename. This directory shall
151 be used for runtime file system
152 objects such as AF_UNIX sockets,
153 FIFOs, PID files and similar. It is
154 guaranteed that this directory is
155 local and offers the greatest possible
156 file system feature set the
157 operating system
158 provides.</p></dd></dl></div></div><div class="refsect1"><a name="idm259769916496"></a><h2 id="Example">Example<a class="headerlink" title="Permalink to this headline" href="#Example"></a></h2><pre class="programlisting">#%PAM-1.0
159 auth required pam_unix.so
160 auth required pam_nologin.so
161 account required pam_unix.so
162 password required pam_unix.so
163 session required pam_unix.so
164 session required pam_loginuid.so
165 session required pam_systemd.so kill-session-processes=1</pre></div><div class="refsect1"><a name="idm259769914720"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also"></a></h2><p>
166 <a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
167 <a href="systemd-logind.service.html"><span class="citerefentry"><span class="refentrytitle">systemd-logind.service</span>(8)</span></a>,
168 <a href="logind.conf.html"><span class="citerefentry"><span class="refentrytitle">logind.conf</span>(5)</span></a>,
169 <a href="loginctl.html"><span class="citerefentry"><span class="refentrytitle">loginctl</span>(1)</span></a>,
170 <a href="pam.conf.html"><span class="citerefentry"><span class="refentrytitle">pam.conf</span>(5)</span></a>,
171 <a href="pam.d.html"><span class="citerefentry"><span class="refentrytitle">pam.d</span>(5)</span></a>,
172 <a href="pam.html"><span class="citerefentry"><span class="refentrytitle">pam</span>(8)</span></a>,
173 <a href="pam_loginuid.html"><span class="citerefentry"><span class="refentrytitle">pam_loginuid</span>(8)</span></a>
174 </p></div></div></body></html>
systemd for Proxmox projects