systemd-logind will start user@.service. user@.service unit uses
PAM with service name 'systemd-user' to perform account and session
managment tasks. Previously, the name was 'systemd-shared', it is
now changed to 'systemd-user'.
Most PAM installations use one common setup for different callers.
Based on a quick poll, distributions fall into two camps: those that
have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia,
Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE).
Distributions that have system-auth have just one configuration file
that contains auth, password, account, and session blocks, and
distributions that have common-auth also have common-session,
common-password, and common-account. It is thus impossible to use one
configuration file which would work for everybody. systemd-user now
refers to system-auth, because it seems that the approach with one
file is more popular and also easier, so let's follow that.
dbussystemservicedir=@dbussystemservicedir@
dbusinterfacedir=@dbusinterfacedir@
pamlibdir=@pamlibdir@
dbussystemservicedir=@dbussystemservicedir@
dbusinterfacedir=@dbusinterfacedir@
pamlibdir=@pamlibdir@
pkgconfigdatadir=$(datadir)/pkgconfig
pkgconfiglibdir=$(libdir)/pkgconfig
polkitpolicydir=$(datadir)/polkit-1/actions
pkgconfigdatadir=$(datadir)/pkgconfig
pkgconfiglibdir=$(libdir)/pkgconfig
polkitpolicydir=$(datadir)/polkit-1/actions
pamlib_LTLIBRARIES = \
pam_systemd.la
pamlib_LTLIBRARIES = \
pam_systemd.la
+
+dist_pamconf_DATA = \
+ src/login/systemd-user
endif
# move lib from $(libdir) to $(rootlibdir) and update devel link, if needed
endif
# move lib from $(libdir) to $(rootlibdir) and update devel link, if needed
--with-bashcompletiondir=$$dc_install_base/$(bashcompletiondir) \
--with-zshcompletiondir=$$dc_install_base/$(zshcompletiondir) \
--with-pamlibdir=$$dc_install_base/$(pamlibdir) \
--with-bashcompletiondir=$$dc_install_base/$(bashcompletiondir) \
--with-zshcompletiondir=$$dc_install_base/$(zshcompletiondir) \
--with-pamlibdir=$$dc_install_base/$(pamlibdir) \
+ --with-pamconfdir=$$dc_install_base/$(pamconfdir) \
--with-rootprefix=$$dc_install_base \
--disable-split-usr
--with-rootprefix=$$dc_install_base \
--disable-split-usr
[],
[with_pamlibdir=${with_rootlibdir}/security])
[],
[with_pamlibdir=${with_rootlibdir}/security])
+AC_ARG_WITH([pamconfdir],
+ AS_HELP_STRING([--with-pamconfdir=DIR], [Directory for PAM configuration]),
+ [],
+ [with_pamconfdir=${sysconfdir}/pam.d])
+
AC_ARG_ENABLE([split-usr],
AS_HELP_STRING([--enable-split-usr], [Assume that /bin, /sbin aren\'t symlinks into /usr]),
[],
AC_ARG_ENABLE([split-usr],
AS_HELP_STRING([--enable-split-usr], [Assume that /bin, /sbin aren\'t symlinks into /usr]),
[],
AC_SUBST([bashcompletiondir], [$with_bashcompletiondir])
AC_SUBST([zshcompletiondir], [$with_zshcompletiondir])
AC_SUBST([pamlibdir], [$with_pamlibdir])
AC_SUBST([bashcompletiondir], [$with_bashcompletiondir])
AC_SUBST([zshcompletiondir], [$with_zshcompletiondir])
AC_SUBST([pamlibdir], [$with_pamlibdir])
+AC_SUBST([pamconfdir], [$with_pamconfdir])
AC_SUBST([rootprefix], [$with_rootprefix])
AC_SUBST([rootlibdir], [$with_rootlibdir])
AC_SUBST([rootprefix], [$with_rootprefix])
AC_SUBST([rootlibdir], [$with_rootlibdir])
Installation Python: ${PYTHON_BINARY}
firmware path: ${FIRMWARE_PATH}
PAM modules dir: ${with_pamlibdir}
Installation Python: ${PYTHON_BINARY}
firmware path: ${FIRMWARE_PATH}
PAM modules dir: ${with_pamlibdir}
+ PAM configuration dir: ${with_pamconfdir}
D-Bus policy dir: ${with_dbuspolicydir}
D-Bus session dir: ${with_dbussessionservicedir}
D-Bus system dir: ${with_dbussystemservicedir}
D-Bus policy dir: ${with_dbuspolicydir}
D-Bus session dir: ${with_dbussessionservicedir}
D-Bus system dir: ${with_dbussystemservicedir}
/* Make sure we don't enter a loop by talking to
* systemd-logind when it is actually waiting for the
* background to finish start-up. If the service is
/* Make sure we don't enter a loop by talking to
* systemd-logind when it is actually waiting for the
* background to finish start-up. If the service is
- * "systemd-shared" we simply set XDG_RUNTIME_DIR and
+ * "systemd-user" we simply set XDG_RUNTIME_DIR and
* leave. */
pam_get_item(handle, PAM_SERVICE, (const void**) &service);
* leave. */
pam_get_item(handle, PAM_SERVICE, (const void**) &service);
- if (streq_ptr(service, "systemd-shared")) {
+ if (streq_ptr(service, "systemd-user")) {
char *p, *rt = NULL;
if (asprintf(&p, "/run/systemd/users/%lu", (unsigned long) pw->pw_uid) < 0) {
char *p, *rt = NULL;
if (asprintf(&p, "/run/systemd/users/%lu", (unsigned long) pw->pw_uid) < 0) {
--- /dev/null
+#%PAM-1.0
+
+# Used by systemd when launching systemd user instances.
+
+account include system-auth
+session include system-auth
+auth required pam_deny.so
+password required pam_deny.so
Type=notify
ExecStart=-@rootlibexecdir@/systemd --user
Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%I/dbus/user_bus_socket
Type=notify
ExecStart=-@rootlibexecdir@/systemd --user
Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%I/dbus/user_bus_socket