<para>On login, this module ensures the following:</para>
<orderedlist>
- <listitem><para>If it does not exist yet the
+ <listitem><para>If it does not exist yet, the
user runtime directory
- <filename>/var/run/user/$USER</filename> is
+ <filename>/run/user/$USER</filename> is
created and its ownership changed to the user
that is logging in.</para></listitem>
<listitem><para>If
- <option>create-session=1</option> is set the
+ <option>create-session=1</option> is set, the
<varname>$XDG_SESSION_ID</varname> environment
variable is initialized. If auditing is
available and
<command>pam_loginuid.so</command> run before
- this module (which es recommended), the
+ this module (which is highly recommended), the
variable is initialized from the auditing
session id
(<filename>/proc/self/sessionid</filename>). Otherwise
used.</para></listitem>
<listitem><para>If
- <option>create-session=1</option> is set a new
+ <option>create-session=1</option> is set, a new
control group
<filename>/user/$USER/$XDG_SESSION_ID</filename>
is created and the login process moved into
it.</para></listitem>
<listitem><para>If
- <option>create-session=0</option> is set a new
+ <option>create-session=0</option> is set, a new
control group
- <filename>/user/$USER/no-session</filename>
+ <filename>/user/$USER/user</filename>
is created and the login process moved into
it.</para></listitem>
remaining processes in the
<filename>/user/$USER/$XDG_SESSION_ID</filename>
control group are killed and the control group
- removed.</para></listitem>
+ is removed.</para></listitem>
<listitem><para>If
<varname>$XDG_SESSION_ID</varname> is set and
remaining processes in the
<filename>/user/$USER/$XDG_SESSION_ID</filename>
control group are migrated to
- <filename>/user/$USER/no-session</filename> and
- the original control group
+ <filename>/user/$USER/user</filename> and
+ the original control group is
removed.</para></listitem>
<listitem><para>If
<option>kill-user=1</option> is specified, and
- no other user session control group remains
+ no other user session control group remains,
except
- <filename>/user/$USER/no-session</filename>
+ <filename>/user/$USER/user</filename>,
all remaining processes in the
<filename>/user/$USER</filename> hierarchy
- are killed and the control group removed.</para></listitem>
+ are killed and the control group is removed.</para></listitem>
<listitem><para>If
<option>kill-user=0</option> is specified, and
</orderedlist>
<para>If the system was not booted up with systemd as
- init system this module does nothing and immediately
+ init system, this module does nothing and immediately
returns PAM_SUCCESS.</para>
</refsect1>
login process moved to the
<filename>/user/$USER/$XDG_SESSION_ID</filename>
control group. It is recommended that
- all services that are directly created
+ all services which are directly created
on the user's behalf set this
option. Only for services that shall
automatically be terminated when the
- user logs out completely otherwise,
+ user logs out completely, otherwise
<varname>create-session=0</varname>
should be set.</para></listitem>
</varlistentry>
completely. This is a weaker version
of <option>kill-session=1</option> and is
more friendly for users logged in more
- than once as their processes are
+ than once, as their processes are
terminated only on their complete
logout.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>kill-only-users=</option></term>
+
+ <listitem><para>Takes a comma
+ separated list of user names or
+ numeric user ids as argument. If this
+ option is used the effect of the
+ <option>kill-session=</option> and
+ <option>kill-user=</option> options
+ will apply only to the listed
+ users. If this option is not used the
+ option applies to all local
+ users. Note that
+ <option>kill-exclude-users=</option>
+ takes precedence over this list and is
+ hence subtracted from the list
+ specified here.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>kill-exclude-users=</option></term>
+
+ <listitem><para>Takes a comma
+ separated list of user names or
+ numeric user ids as argument. Users
+ listed in this argument will not be
+ subject to the effect of
+ <option>kill-session=</option> or
+ <option>kill-user=</option>. Note
+ that that this option takes precedence
+ over
+ <option>kill-only-users=</option>, and
+ hence whatever is listed for
+ <option>kill-exclude-users=</option>
+ is guaranteed to never be killed by
+ this PAM module, independent of any
+ other configuration
+ setting.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>controllers=</option></term>
+
+ <listitem><para>Takes a comma
+ separated list of cgroup controllers
+ in which hierarchies a user/session
+ cgroup will be created by default for
+ each user logging in, in addition to
+ the cgroup in the named 'name=systemd'
+ hierarchy. If ommited, defaults to an
+ empty list. This may be used to move
+ user sessions into their own groups in
+ the 'cpu' hierarchy which ensures that
+ every logged in user gets an equal
+ amount of CPU time regardless how many
+ processes he has
+ started.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>reset-controllers=</option></term>
+
+ <listitem><para>Takes a comma
+ separated list of cgroup controllers
+ in which hierarchies the logged in
+ processes will be reset to the root
+ cgroup. If ommited, defaults to 'cpu',
+ meaning that a 'cpu' cgroup grouping
+ inherited from the login manager will
+ be reset for the processes of the
+ logged in user.</para></listitem>
+ </varlistentry>
</variablelist>
<para>Note that setting <varname>kill-user=1</varname>
<para>If the options are omitted they default to
<option>create-session=1</option>,
<option>kill-session=0</option>,
- <option>kill-user=0</option>.</para>
+ <option>kill-user=0</option>,
+ <option>reset-controllers=cpu</option>,
+ <option>kill-only-users=</option>,
+ <option>kill-exclude-users=root</option>.</para>
</refsect1>
<refsect1>