From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Wed, 11 Sep 2013 18:31:14 +0000 (-0400)
Subject: Add pam configuration to allow user sessions to work out of the box
X-Git-Tag: v207~20
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=5c390a4ae0d383b2003074ed011d47876c7e630c;ds=sidebyside

Add pam configuration to allow user sessions to work out of the box

systemd-logind will start user@.service. user@.service unit uses
PAM with service name 'systemd-user' to perform account and session
managment tasks. Previously, the name was 'systemd-shared', it is
now changed to 'systemd-user'.

Most PAM installations use one common setup for different callers.
Based on a quick poll, distributions fall into two camps: those that
have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia,
Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE).
Distributions that have system-auth have just one configuration file
that contains auth, password, account, and session blocks, and
distributions that have common-auth also have common-session,
common-password, and common-account. It is thus impossible to use one
configuration file which would work for everybody. systemd-user now
refers to system-auth, because it seems that the approach with one
file is more popular and also easier, so let's follow that.
---

diff --git a/Makefile.am b/Makefile.am
index c8283d59e..3cb6c494c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -64,6 +64,7 @@ dbussessionservicedir=@dbussessionservicedir@
 dbussystemservicedir=@dbussystemservicedir@
 dbusinterfacedir=@dbusinterfacedir@
 pamlibdir=@pamlibdir@
+pamconfdir=@pamconfdir@
 pkgconfigdatadir=$(datadir)/pkgconfig
 pkgconfiglibdir=$(libdir)/pkgconfig
 polkitpolicydir=$(datadir)/polkit-1/actions
@@ -3905,6 +3906,9 @@ pam_systemd_la_LIBADD = \
 
 pamlib_LTLIBRARIES = \
 	pam_systemd.la
+
+dist_pamconf_DATA = \
+	src/login/systemd-user
 endif
 
 # move lib from $(libdir) to $(rootlibdir) and update devel link, if needed
@@ -4460,6 +4464,7 @@ DISTCHECK_CONFIGURE_FLAGS = \
 	--with-bashcompletiondir=$$dc_install_base/$(bashcompletiondir) \
 	--with-zshcompletiondir=$$dc_install_base/$(zshcompletiondir) \
 	--with-pamlibdir=$$dc_install_base/$(pamlibdir) \
+	--with-pamconfdir=$$dc_install_base/$(pamconfdir) \
 	--with-rootprefix=$$dc_install_base \
 	--disable-split-usr
 
diff --git a/configure.ac b/configure.ac
index 2541344f0..c6978c72a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -943,6 +943,11 @@ AC_ARG_WITH([pamlibdir],
         [],
         [with_pamlibdir=${with_rootlibdir}/security])
 
+AC_ARG_WITH([pamconfdir],
+        AS_HELP_STRING([--with-pamconfdir=DIR], [Directory for PAM configuration]),
+        [],
+        [with_pamconfdir=${sysconfdir}/pam.d])
+
 AC_ARG_ENABLE([split-usr],
         AS_HELP_STRING([--enable-split-usr], [Assume that /bin, /sbin aren\'t symlinks into /usr]),
         [],
@@ -975,6 +980,7 @@ AC_SUBST([dbusinterfacedir], [$with_dbusinterfacedir])
 AC_SUBST([bashcompletiondir], [$with_bashcompletiondir])
 AC_SUBST([zshcompletiondir], [$with_zshcompletiondir])
 AC_SUBST([pamlibdir], [$with_pamlibdir])
+AC_SUBST([pamconfdir], [$with_pamconfdir])
 AC_SUBST([rootprefix], [$with_rootprefix])
 AC_SUBST([rootlibdir], [$with_rootlibdir])
 
@@ -1047,6 +1053,7 @@ AC_MSG_RESULT([
         Installation Python:     ${PYTHON_BINARY}
         firmware path:           ${FIRMWARE_PATH}
         PAM modules dir:         ${with_pamlibdir}
+        PAM configuration dir:   ${with_pamconfdir}
         D-Bus policy dir:        ${with_dbuspolicydir}
         D-Bus session dir:       ${with_dbussessionservicedir}
         D-Bus system dir:        ${with_dbussystemservicedir}
diff --git a/src/login/pam-module.c b/src/login/pam-module.c
index 8c5b3a10f..49296b5d6 100644
--- a/src/login/pam-module.c
+++ b/src/login/pam-module.c
@@ -220,11 +220,11 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         /* Make sure we don't enter a loop by talking to
          * systemd-logind when it is actually waiting for the
          * background to finish start-up. If the service is
-         * "systemd-shared" we simply set XDG_RUNTIME_DIR and
+         * "systemd-user" we simply set XDG_RUNTIME_DIR and
          * leave. */
 
         pam_get_item(handle, PAM_SERVICE, (const void**) &service);
-        if (streq_ptr(service, "systemd-shared")) {
+        if (streq_ptr(service, "systemd-user")) {
                 char *p, *rt = NULL;
 
                 if (asprintf(&p, "/run/systemd/users/%lu", (unsigned long) pw->pw_uid) < 0) {
diff --git a/src/login/systemd-user b/src/login/systemd-user
new file mode 100644
index 000000000..7b57dbf78
--- /dev/null
+++ b/src/login/systemd-user
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+# Used by systemd when launching systemd user instances.
+
+account include system-auth
+session include system-auth
+auth required pam_deny.so
+password required pam_deny.so
diff --git a/units/user@.service.in b/units/user@.service.in
index 8f9a3b334..3f8b59d07 100644
--- a/units/user@.service.in
+++ b/units/user@.service.in
@@ -11,7 +11,7 @@ After=systemd-user-sessions.service
 
 [Service]
 User=%I
-PAMName=systemd-shared
+PAMName=systemd-user
 Type=notify
 ExecStart=-@rootlibexecdir@/systemd --user
 Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%I/dbus/user_bus_socket