diff options
Diffstat (limited to 'man/pam_systemd.xml')
-rw-r--r-- | man/pam_systemd.xml | 349 |
1 files changed, 349 insertions, 0 deletions
diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml new file mode 100644 index 0000000..be8ac5a --- /dev/null +++ b/man/pam_systemd.xml @@ -0,0 +1,349 @@ +<?xml version='1.0'?> <!--*-nxml-*--> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> +<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> + +<refentry id="pam_systemd" conditional='HAVE_PAM'> + + <refentryinfo> + <title>pam_systemd</title> + <productname>systemd</productname> + </refentryinfo> + + <refmeta> + <refentrytitle>pam_systemd</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv> + <refname>pam_systemd</refname> + <refpurpose>Register user sessions in the systemd login manager</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <para><filename>pam_systemd.so</filename></para> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + + <para><command>pam_systemd</command> registers user sessions with + the systemd login manager + <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + and hence the systemd control group hierarchy.</para> + + <para>The module also applies various resource management and runtime parameters to the new session, as + configured in the <ulink url="https://systemd.io/USER_RECORD">JSON User Records</ulink> of the user, when + one is defined.</para> + + <para>On login, this module — in conjunction with <filename>systemd-logind.service</filename> — ensures the + following:</para> + + <orderedlist> + <listitem><para>If it does not exist yet, the user runtime directory <filename>/run/user/$UID</filename> is + either created or mounted as new <literal>tmpfs</literal> file system with quota applied, and its ownership + changed to the user that is logging in.</para></listitem> + + <listitem><para>The <varname>$XDG_SESSION_ID</varname> environment variable is initialized. If auditing is + available and <command>pam_loginuid.so</command> was run before this module (which is highly recommended), the + variable is initialized from the auditing session id (<filename>/proc/self/sessionid</filename>). Otherwise, an + independent session counter is used.</para></listitem> + + <listitem><para>A new systemd scope unit is created for the session. If this is the first concurrent session of + the user, an implicit per-user slice unit below <filename>user.slice</filename> is automatically created and the + scope placed into it. An instance of the system service <filename>user@.service</filename>, which runs the + systemd user manager instance, is started.</para></listitem> + + <listitem><para>The <literal>$TZ</literal>, <literal>$EMAIL</literal> and <literal>$LANG</literal> + environment variables are configured for the user, based on the respective data from the user's JSON + record (if it is defined). Moreover, any environment variables explicitly configured in the user record + are imported, and the umask, nice level, and resource limits initialized.</para></listitem> + </orderedlist> + + <para>On logout, this module ensures the following:</para> + + <orderedlist> + <listitem><para>If enabled in + <citerefentry><refentrytitle>logind.conf</refentrytitle> + <manvolnum>5</manvolnum></citerefentry> (<varname>KillUserProcesses=</varname>), all processes of the session are + terminated. If the last concurrent session of a user ends, the user's systemd instance will be terminated too, + and so will the user's slice unit.</para></listitem> + + <listitem><para>If the last concurrent session of a user ends, + the user runtime directory <filename>/run/user/$UID</filename> and all its + contents are removed, too.</para></listitem> + </orderedlist> + + <para>If the system was not booted up with systemd as init system, + this module does nothing and immediately returns + <constant>PAM_SUCCESS</constant>.</para> + + </refsect1> + + <refsect1> + <title>Options</title> + + <para>The following options are understood:</para> + + <variablelist class='pam-directives'> + + <varlistentry> + <term><varname>class=</varname></term> + + <listitem><para>Takes a string argument which sets the session class. The <varname>XDG_SESSION_CLASS</varname> + environment variable (see below) takes precedence. One of <literal>user</literal>, <literal>greeter</literal>, + <literal>lock-screen</literal> or <literal>background</literal>. See + <citerefentry><refentrytitle>sd_session_get_class</refentrytitle><manvolnum>3</manvolnum></citerefentry> for + details about the session class.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>type=</varname></term> + + <listitem><para>Takes a string argument which sets the session type. The <varname>XDG_SESSION_TYPE</varname> + environment variable (see below) takes precedence. One of <literal>unspecified</literal>, + <literal>tty</literal>, <literal>x11</literal>, <literal>wayland</literal> or <literal>mir</literal>. See + <citerefentry><refentrytitle>sd_session_get_type</refentrytitle><manvolnum>3</manvolnum></citerefentry> for + details about the session type.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>desktop=</varname></term> + + <listitem><para>Takes a single, short identifier string for the desktop environment. The + <varname>XDG_SESSION_DESKTOP</varname> environment variable (see below) takes precedence. This may be used to + indicate the session desktop used, where this applies and if this information is available. For example: + <literal>GNOME</literal>, or <literal>KDE</literal>. It is recommended to use the same identifiers and + capitalization as for <varname>$XDG_CURRENT_DESKTOP</varname>, as defined by the <ulink + url="https://standards.freedesktop.org/desktop-entry-spec/latest/">Desktop Entry + Specification</ulink>. (However, note that the option only takes a single item, and not a colon-separated list + like <varname>$XDG_CURRENT_DESKTOP</varname>.) See + <citerefentry><refentrytitle>sd_session_get_desktop</refentrytitle><manvolnum>3</manvolnum></citerefentry> for + further details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>debug</varname><optional>=</optional></term> + + <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log + debugging information as it operates.</para></listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>Module Types Provided</title> + + <para>Only <option>session</option> is provided.</para> + </refsect1> + + <refsect1> + <title>Environment</title> + + <para>The following environment variables are initialized by the module and available to the processes of the + user's session:</para> + + <variablelist class='environment-variables'> + <varlistentry> + <term><varname>$XDG_SESSION_ID</varname></term> + + <listitem><para>A short session identifier, suitable to be used in filenames. The string itself should be + considered opaque, although often it is just the audit session ID as reported by + <filename>/proc/self/sessionid</filename>. Each ID will be assigned only once during machine uptime. It may + hence be used to uniquely label files or other resources of this session. Combine this ID with the boot + identifier, as returned by + <citerefentry><refentrytitle>sd_id128_get_boot</refentrytitle><manvolnum>3</manvolnum></citerefentry>, for a + globally unique identifier.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$XDG_RUNTIME_DIR</varname></term> + + <listitem><para>Path to a user-private user-writable directory + that is bound to the user login time on the machine. It is + automatically created the first time a user logs in and + removed on the user's final logout. If a user logs in twice at + the same time, both sessions will see the same + <varname>$XDG_RUNTIME_DIR</varname> and the same contents. If + a user logs in once, then logs out again, and logs in again, + the directory contents will have been lost in between, but + applications should not rely on this behavior and must be able + to deal with stale files. To store session-private data in + this directory, the user should include the value of + <varname>$XDG_SESSION_ID</varname> in the filename. This + directory shall be used for runtime file system objects such + as <constant>AF_UNIX</constant> sockets, FIFOs, PID files and + similar. It is guaranteed that this directory is local and + offers the greatest possible file system feature set the + operating system provides. For further details, see the <ulink + url="https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html">XDG + Base Directory Specification</ulink>. <varname>$XDG_RUNTIME_DIR</varname> + is not set if the current user is not the original user of the session.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$TZ</varname></term> + <term><varname>$EMAIL</varname></term> + <term><varname>$LANG</varname></term> + + <listitem><para>If a JSON user record is known for the user logging in these variables are + initialized from the respective data in the record.</para></listitem> + </varlistentry> + + </variablelist> + + <para>The following environment variables are read by the module and may be used by the PAM service to pass + metadata to the module. If these variables are not set when the PAM module is invoked but can be determined + otherwise they are set by the module, so that these variables are initialized for the session and applications if + known at all.</para> + + <variablelist class='environment-variables'> + <varlistentry> + <term><varname>$XDG_SESSION_TYPE</varname></term> + + <listitem><para>The session type. This may be used instead of <varname>type=</varname> on the module parameter + line, and is usually preferred.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$XDG_SESSION_CLASS</varname></term> + + <listitem><para>The session class. This may be used instead of <varname>class=</varname> on the module parameter + line, and is usually preferred.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$XDG_SESSION_DESKTOP</varname></term> + + <listitem><para>The desktop identifier. This may be used instead of <varname>desktop=</varname> on the module + parameter line, and is usually preferred.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$XDG_SEAT</varname></term> + + <listitem><para>The seat name the session shall be registered + for, if any.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>$XDG_VTNR</varname></term> + + <listitem><para>The VT number the session shall be registered + for, if any. (Only applies to seats with a VT available, such + as <literal>seat0</literal>)</para></listitem> + </varlistentry> + </variablelist> + + <para>If not set, <command>pam_systemd</command> will initialize + <varname>$XDG_SEAT</varname> and <varname>$XDG_VTNR</varname> + based on the <varname>$DISPLAY</varname> variable (if the latter is set).</para> + </refsect1> + + <refsect1> + <title>Session limits</title> + + <para>PAM modules earlier in the stack, that is those that come before <command>pam_systemd.so</command>, + can set session scope limits using the PAM context objects. The data for these objects is provided as <constant>NUL</constant>-terminated C strings + and maps directly to the respective unit resource control directives. Note that these limits apply to individual sessions of the user, + they do not apply to all user processes as a combined whole. In particular, the per-user <command>user@.service</command> unit instance, + which runs the <command>systemd --user</command> manager process and its children, and is tracked outside of any session, being shared + by all the user's sessions, is not covered by these limits. + </para> + + <para> See + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information about the resources. + Also, see <citerefentry project='man-pages'><refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum></citerefentry> for additional information about how to set + the context objects. + </para> + + <variablelist class='pam-directives'> + <varlistentry> + <term><varname>systemd.memory_max=</varname></term> + + <listitem><para>Sets unit <varname>MemoryMax=</varname>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>systemd.tasks_max=</varname></term> + + <listitem><para>Sets unit <varname>TasksMax=</varname>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>systemd.cpu_weight=</varname></term> + + <listitem><para>Sets unit <varname>CPUWeight=</varname>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>systemd.io_weight=</varname></term> + + <listitem><para>Sets unit <varname>IOWeight=</varname>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>systemd.runtime_max_sec=</varname></term> + + <listitem><para>Sets unit <varname>RuntimeMaxSec=</varname>.</para></listitem> + </varlistentry> + </variablelist> + + <para>Example data as can be provided from an another PAM module: + <programlisting> +pam_set_data(handle, "systemd.memory_max", (void *)"200M", cleanup); +pam_set_data(handle, "systemd.tasks_max", (void *)"50", cleanup); +pam_set_data(handle, "systemd.cpu_weight", (void *)"100", cleanup); +pam_set_data(handle, "systemd.io_weight", (void *)"340", cleanup); +pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup); + </programlisting> + </para> + + </refsect1> + + <refsect1> + <title>Example</title> + + <para>Here's an example PAM configuration fragment that allows users sessions to be managed by + <filename>systemd-logind.service</filename>:</para> + + <programlisting>#%PAM-1.0 +auth sufficient pam_unix.so +-auth sufficient pam_systemd_home.so +auth required pam_deny.so + +account required pam_nologin.so +-account sufficient pam_systemd_home.so +account sufficient pam_unix.so +account required pam_permit.so + +-password sufficient pam_systemd_home.so +password sufficient pam_unix.so sha512 shadow try_first_pass +password required pam_deny.so + +-session optional pam_keyinit.so revoke +-session optional pam_loginuid.so +-session optional pam_systemd_home.so +<command>-session optional pam_systemd.so</command> +session required pam_unix.so</programlisting> + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam_systemd_home</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> + </para> + </refsect1> + +</refentry> |