<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
This file is part of systemd.
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
-<refentry id="pam_systemd">
-
- <refentryinfo>
- <title>pam_systemd</title>
- <productname>systemd</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Lennart</firstname>
- <surname>Poettering</surname>
- <email>lennart@poettering.net</email>
- </author>
- </authorgroup>
- </refentryinfo>
-
- <refmeta>
- <refentrytitle>pam_systemd</refentrytitle>
- <manvolnum>8</manvolnum>
- </refmeta>
-
- <refnamediv>
- <refname>pam_systemd</refname>
- <refpurpose>Register user sessions in the systemd control group hierarchy</refpurpose>
- </refnamediv>
-
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>pam_systemd.so</command>
- </cmdsynopsis>
- </refsynopsisdiv>
-
- <refsect1>
- <title>Description</title>
-
- <para><command>pam_systemd</command> registers user
- sessions in the systemd control group
- hierarchy.</para>
-
- <para>On login, this module ensures the following:</para>
-
- <orderedlist>
- <listitem><para>If it does not exist yet, the
- user runtime directory
- <filename>/run/user/$USER</filename> is
- created and its ownership changed to the user
- that is logging in.</para></listitem>
-
- <listitem><para>The
- <varname>$XDG_SESSION_ID</varname> environment
- variable is initialized. If auditing is
- available and
- <command>pam_loginuid.so</command> run before
- this module (which is highly recommended), the
- variable is initialized from the auditing
- session id
- (<filename>/proc/self/sessionid</filename>). Otherwise
- an independent session counter is
- used.</para></listitem>
-
- <listitem><para>A new control group
- <filename>/user/$USER/$XDG_SESSION_ID</filename>
- is created and the login process moved into
- it.</para></listitem>
- </orderedlist>
-
- <para>On logout, this module ensures the following:</para>
-
- <orderedlist>
- <listitem><para>If
- <varname>$XDG_SESSION_ID</varname> is set and
- <option>kill-session-processes=1</option> specified, all
- remaining processes in the
- <filename>/user/$USER/$XDG_SESSION_ID</filename>
- control group are killed and the control group
- is removed.</para></listitem>
-
- <listitem><para>If last subgroup of the
- <filename>/user/$USER</filename> control group
- was removed the
- <varname>$XDG_RUNTIME_DIR</varname> directory
- and all its contents are
- removed, too.</para></listitem>
- </orderedlist>
-
- <para>If the system was not booted up with systemd as
- init system, this module does nothing and immediately
- returns PAM_SUCCESS.</para>
-
- </refsect1>
-
- <refsect1>
- <title>Options</title>
-
- <para>The following options are understood:</para>
-
- <variablelist>
- <varlistentry>
- <term><option>kill-session-processes=</option></term>
-
- <listitem><para>Takes a boolean
- argument. If true, all processes
- created by the user during his session
- and from his session will be
- terminated when he logs out from his
- session.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>kill-only-users=</option></term>
-
- <listitem><para>Takes a comma
- separated list of user names or
- numeric user ids as argument. If this
- option is used the effect of the
- <option>kill-session-processes=</option> options
- will apply only to the listed
- users. If this option is not used the
- option applies to all local
- users. Note that
- <option>kill-exclude-users=</option>
- takes precedence over this list and is
- hence subtracted from the list
- specified here.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>kill-exclude-users=</option></term>
-
- <listitem><para>Takes a comma
- separated list of user names or
- numeric user ids as argument. Users
- listed in this argument will not be
- subject to the effect of
- <option>kill-session-processes=</option>. Note
- that that this option takes precedence
- over
- <option>kill-only-users=</option>, and
- hence whatever is listed for
- <option>kill-exclude-users=</option>
- is guaranteed to never be killed by
- this PAM module, independent of any
- other configuration
- setting.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>controllers=</option></term>
-
- <listitem><para>Takes a comma
- separated list of control group
- controllers in which hierarchies a
- user/session control group will be
- created by default for each user
- logging in, in addition to the control
- group in the named 'name=systemd'
- hierarchy. If omitted, defaults to an
- empty list.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>reset-controllers=</option></term>
-
- <listitem><para>Takes a comma
- separated list of control group
- controllers in which hierarchies the
- logged in processes will be reset to
- the root control
- group.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>debug=</option></term>
-
- <listitem><para>Takes a boolean
- argument. If yes, the module will log
- debugging information as it
- operates.</para></listitem>
- </varlistentry>
- </variablelist>
-
- <para>Note that setting
- <varname>kill-session-processes=1</varname> will break tools
- like
- <citerefentry><refentrytitle>screen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
-
- <para>Note that
- <varname>kill-session-processes=1</varname> is a
- stricter version of
- <varname>KillUserProcesses=1</varname> which may be
- configured system-wide in
- <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The
- former kills processes of a session as soon as it
- ends, the latter kills processes as soon as the last
- session of the user ends.</para>
-
- <para>If the options are omitted they default to
- <option>kill-session-processes=0</option>,
- <option>kill-only-users=</option>,
- <option>kill-exclude-users=</option>,
- <option>controllers=</option>,
- <option>reset-controllers=</option>,
- <option>debug=no</option>.</para>
- </refsect1>
-
- <refsect1>
- <title>Module Types Provided</title>
-
- <para>Only <option>session</option> is provided.</para>
- </refsect1>
-
- <refsect1>
- <title>Environment</title>
-
- <para>The following environment variables are set for the processes of the user's session:</para>
-
- <variablelist>
- <varlistentry>
- <term><varname>$XDG_SESSION_ID</varname></term>
-
- <listitem><para>A session identifier,
- suitable to be used in file names. The
- string itself should be considered
- opaque, although often it is just the
- audit session ID as reported by
- <filename>/proc/self/sessionid</filename>. Each
- ID will be assigned only once during
- machine uptime. It may hence be used
- to uniquely label files or other
- resources of this
- session.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>$XDG_RUNTIME_DIR</varname></term>
-
- <listitem><para>Path to a user-private
- user-writable directory that is bound
- to the user login time on the
- machine. It is automatically created
- the first time a user logs in and
- removed on his final logout. If a user
- logs in twice at the same time, both
- sessions will see the same
- <varname>$XDG_RUNTIME_DIR</varname>
- and the same contents. If a user logs
- in once, then logs out again, and logs
- in again, the directory contents will
- have been lost in between, but
- applications should not rely on this
- behaviour and must be able to deal with
- stale files. To store session-private
- data in this directory the user should
- include the value of <varname>$XDG_SESSION_ID</varname>
- in the filename. This directory shall
- be used for runtime file system
- objects such as AF_UNIX sockets,
- FIFOs, PID files and similar. It is
- guaranteed that this directory is
- local and offers the greatest possible
- file system feature set the
- operating system
- provides.</para></listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1>
- <title>Example</title>
-
- <programlisting>#%PAM-1.0
+<refentry id="pam_systemd" conditional='HAVE_PAM'>
+
+ <refentryinfo>
+ <title>pam_systemd</title>
+ <productname>systemd</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Lennart</firstname>
+ <surname>Poettering</surname>
+ <email>lennart@poettering.net</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>pam_systemd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>pam_systemd</refname>
+ <refpurpose>Register user sessions in the systemd login manager</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><filename>pam_systemd.so</filename></para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>pam_systemd</command> registers user sessions with
+ the systemd login manager
+ <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ and hence the systemd control group hierarchy.</para>
+
+ <para>On login, this module ensures the following:</para>
+
+ <orderedlist>
+ <listitem><para>If it does not exist yet, the user runtime
+ directory <filename>/run/user/$USER</filename> is created and
+ its ownership changed to the user that is logging
+ in.</para></listitem>
+
+ <listitem><para>The <varname>$XDG_SESSION_ID</varname>
+ environment variable is initialized. If auditing is available
+ and <command>pam_loginuid.so</command> was run before this
+ module (which is highly recommended), the variable is
+ initialized from the auditing session id
+ (<filename>/proc/self/sessionid</filename>). Otherwise, an
+ independent session counter is used.</para></listitem>
+
+ <listitem><para>A new systemd scope unit is created for the
+ session. If this is the first concurrent session of the user, an
+ implicit slice below <filename>user.slice</filename> is
+ automatically created and the scope placed into it. An instance
+ of the system service <filename>user@.service</filename>, which
+ runs the systemd user manager instance, is started.
+ </para></listitem>
+ </orderedlist>
+
+ <para>On logout, this module ensures the following:</para>
+
+ <orderedlist>
+ <listitem><para>If enabled in
+ <citerefentry><refentrytitle>logind.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry>, all processes of the
+ session are terminated. If the last concurrent session of a user
+ ends, the user's systemd instance will be terminated too, and so
+ will the user's slice unit.</para></listitem>
+
+ <listitem><para>If the last concurrent session of a user ends,
+ the <varname>$XDG_RUNTIME_DIR</varname> directory and all its
+ contents are removed, too.</para></listitem>
+ </orderedlist>
+
+ <para>If the system was not booted up with systemd as init system,
+ this module does nothing and immediately returns
+ <constant>PAM_SUCCESS</constant>.</para>
+
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>The following options are understood:</para>
+
+ <variablelist class='pam-directives'>
+
+ <varlistentry>
+ <term><option>class=</option></term>
+
+ <listitem><para>Takes a string argument which sets the session
+ class. The XDG_SESSION_CLASS environmental variable takes
+ precedence. One of
+ <literal>user</literal>,
+ <literal>greeter</literal>,
+ <literal>lock-screen</literal> or
+ <literal>background</literal>. See
+ <citerefentry><refentrytitle>sd_session_get_class</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ for details about the session class.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>type=</option></term>
+
+ <listitem><para>Takes a string argument which sets the session
+ type. The XDG_SESSION_TYPE environmental variable takes
+ precedence. One of
+ <literal>unspecified</literal>,
+ <literal>tty</literal>,
+ <literal>x11</literal>,
+ <literal>wayland</literal> or
+ <literal>mir</literal>. See
+ <citerefentry><refentrytitle>sd_session_get_type</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ for details about the session type.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>debug<optional>=</optional></option></term>
+
+ <listitem><para>Takes an optional
+ boolean argument. If yes or without
+ the argument, the module will log
+ debugging information as it
+ operates.</para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Module Types Provided</title>
+
+ <para>Only <option>session</option> is provided.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Environment</title>
+
+ <para>The following environment variables are set for the
+ processes of the user's session:</para>
+
+ <variablelist class='environment-variables'>
+ <varlistentry>
+ <term><varname>$XDG_SESSION_ID</varname></term>
+
+ <listitem><para>A session identifier, suitable to be used in
+ filenames. The string itself should be considered opaque,
+ although often it is just the audit session ID as reported by
+ <filename>/proc/self/sessionid</filename>. Each ID will be
+ assigned only once during machine uptime. It may hence be used
+ to uniquely label files or other resources of this
+ session.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$XDG_RUNTIME_DIR</varname></term>
+
+ <listitem><para>Path to a user-private user-writable directory
+ that is bound to the user login time on the machine. It is
+ automatically created the first time a user logs in and
+ removed on the user's final logout. If a user logs in twice at
+ the same time, both sessions will see the same
+ <varname>$XDG_RUNTIME_DIR</varname> and the same contents. If
+ a user logs in once, then logs out again, and logs in again,
+ the directory contents will have been lost in between, but
+ applications should not rely on this behavior and must be able
+ to deal with stale files. To store session-private data in
+ this directory, the user should include the value of
+ <varname>$XDG_SESSION_ID</varname> in the filename. This
+ directory shall be used for runtime file system objects such
+ as <constant>AF_UNIX</constant> sockets, FIFOs, PID files and
+ similar. It is guaranteed that this directory is local and
+ offers the greatest possible file system feature set the
+ operating system provides. For further details see the <ulink
+ url="http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html">XDG
+ Base Directory Specification</ulink>.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ <para>The following environment variables are read by the module
+ and may be used by the PAM service to pass metadata to the
+ module:</para>
+
+ <variablelist class='environment-variables'>
+ <varlistentry>
+ <term><varname>$XDG_SESSION_TYPE</varname></term>
+
+ <listitem><para>The session type. This may be used instead of
+ <option>session=</option> on the module parameter line, and is
+ usually preferred.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$XDG_SESSION_CLASS</varname></term>
+
+ <listitem><para>The session class. This may be used instead of
+ <option>class=</option> on the module parameter line, and is
+ usually preferred.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$XDG_SESSION_DESKTOP</varname></term>
+
+ <listitem><para>A single, short identifier string for the
+ desktop environment. This may be used to indicate the session
+ desktop used, where this applies and if this information is
+ available. For example: <literal>GNOME</literal>, or
+ <literal>KDE</literal>. It is recommended to use the same
+ identifiers and capitalization as for
+ <varname>$XDG_CURRENT_DESKTOP</varname>, as defined by the
+ <ulink
+ url="http://standards.freedesktop.org/desktop-entry-spec/latest/">Desktop
+ Entry Specification</ulink>. (However, note that
+ <varname>$XDG_SESSION_DESKTOP</varname> only takes a single
+ item, and not a colon-separated list like
+ <varname>$XDG_CURRENT_DESKTOP</varname>.) See
+ <citerefentry><refentrytitle>sd_session_get_desktop</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ for more details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$XDG_SEAT</varname></term>
+
+ <listitem><para>The seat name the session shall be registered
+ for, if any.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>$XDG_VTNR</varname></term>
+
+ <listitem><para>The VT number the session shall be registered
+ for, if any. (Only applies to seats with a VT available, such
+ as <literal>seat0</literal>)</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Example</title>
+
+ <programlisting>#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
-session required pam_systemd.so kill-session-processes=1</programlisting>
- </refsect1>
-
- <refsect1>
- <title>See Also</title>
- <para>
- <citerefentry><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- </para>
- </refsect1>
+session required pam_systemd.so</programlisting>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ </para>
+ </refsect1>
</refentry>