1PAM_SYSTEMD(8) pam_systemd PAM_SYSTEMD(8)
2
6 pam_systemd - Register user sessions in the systemd login manager
7
9 pam_systemd.so
10
12 pam_systemd registers user sessions with the systemd login manager
13 systemd-logind.service(8), and hence the systemd control group
14 hierarchy.
15 On login, this module — in conjunction with systemd-logind.service —
17 ensures the following:
18 1. If it does not exist yet, the user runtime directory /run/user/$UID
20 is either created or mounted as new "tmpfs" file system with quota
21 applied, and its ownership changed to the user that is logging in.
22 2. The $XDG_SESSION_ID environment variable is initialized. If
24 auditing is available and pam_loginuid.so was run before this
25 module (which is highly recommended), the variable is initialized
26 from the auditing session id (/proc/self/sessionid). Otherwise, an
27 independent session counter is used.
28 3. A new systemd scope unit is created for the session. If this is the
30 first concurrent session of the user, an implicit per-user slice
31 unit below user.slice is automatically created and the scope placed
32 into it. An instance of the system service user@.service, which
33 runs the systemd user manager instance, is started.
34 On logout, this module ensures the following:
36 1. If enabled in logind.conf(5) (KillUserProcesses=), all processes of
38 the session are terminated. If the last concurrent session of a
39 user ends, the user's systemd instance will be terminated too, and
40 so will the user's slice unit.
41 2. If the last concurrent session of a user ends, the user runtime
43 directory /run/user/$UID and all its contents are removed, too.
44 If the system was not booted up with systemd as init system, this
46 module does nothing and immediately returns PAM_SUCCESS.
47
49 The following options are understood:
50 class=
52 Takes a string argument which sets the session class. The
53 XDG_SESSION_CLASS environment variable (see below) takes
54 precedence. One of "user", "greeter", "lock-screen" or
55 "background". See sd_session_get_class(3) for details about the
56 session class.
57 type=
59 Takes a string argument which sets the session type. The
60 XDG_SESSION_TYPE environment variable (see below) takes precedence.
61 One of "unspecified", "tty", "x11", "wayland" or "mir". See
62 sd_session_get_type(3) for details about the session type.
63 desktop=
65 Takes a single, short identifier string for the desktop
66 environment. The XDG_SESSION_DESKTOP environment variable (see
67 below) takes precedence. This may be used to indicate the session
68 desktop used, where this applies and if this information is
69 available. For example: "GNOME", or "KDE". It is recommended to use
70 the same identifiers and capitalization as for
71 $XDG_CURRENT_DESKTOP, as defined by the Desktop Entry
72 Specification[1]. (However, note that the option only takes a
73 single item, and not a colon-separated list like
74 $XDG_CURRENT_DESKTOP.) See sd_session_get_desktop(3) for further
75 details.
76 debug[=]
78 Takes an optional boolean argument. If yes or without the argument,
79 the module will log debugging information as it operates.
80
82 Only session is provided.
83
85 The following environment variables are initialized by the module and
86 available to the processes of the user's session:
87 $XDG_SESSION_ID
89 A short session identifier, suitable to be used in filenames. The
90 string itself should be considered opaque, although often it is
91 just the audit session ID as reported by /proc/self/sessionid. Each
92 ID will be assigned only once during machine uptime. It may hence
93 be used to uniquely label files or other resources of this session.
94 Combine this ID with the boot identifier, as returned by
95 sd_id128_get_boot(3), for a globally unique identifier for the
96 current session.
97 $XDG_RUNTIME_DIR
99 Path to a user-private user-writable directory that is bound to the
100 user login time on the machine. It is automatically created the
101 first time a user logs in and removed on the user's final logout.
102 If a user logs in twice at the same time, both sessions will see
103 the same $XDG_RUNTIME_DIR and the same contents. If a user logs in
104 once, then logs out again, and logs in again, the directory
105 contents will have been lost in between, but applications should
106 not rely on this behavior and must be able to deal with stale
107 files. To store session-private data in this directory, the user
108 should include the value of $XDG_SESSION_ID in the filename. This
109 directory shall be used for runtime file system objects such as
110 AF_UNIX sockets, FIFOs, PID files and similar. It is guaranteed
111 that this directory is local and offers the greatest possible file
112 system feature set the operating system provides. For further
113 details, see the XDG Base Directory Specification[2].
114 $XDG_RUNTIME_DIR is not set if the current user is not the original
115 user of the session.
116 The following environment variables are read by the module and may be
118 used by the PAM service to pass metadata to the module. If these
119 variables are not set when the PAM module is invoked but can be
120 determined otherwise they are set by the module, so that these
121 variables are initialized for the session and applications if known at
122 all.
123 $XDG_SESSION_TYPE
125 The session type. This may be used instead of type= on the module
126 parameter line, and is usually preferred.
127 $XDG_SESSION_CLASS
129 The session class. This may be used instead of class= on the module
130 parameter line, and is usually preferred.
131 $XDG_SESSION_DESKTOP
133 The desktop identifier. This may be used instead of desktop= on the
134 module parameter line, and is usually preferred.
135 $XDG_SEAT
137 The seat name the session shall be registered for, if any.
138 $XDG_VTNR
140 The VT number the session shall be registered for, if any. (Only
141 applies to seats with a VT available, such as "seat0")
142 If not set, pam_systemd will initialize $XDG_SEAT and $XDG_VTNR based
144 on the $DISPLAY variable (if the latter is set).
145
147 PAM modules earlier in the stack, that is those that come before
148 pam_systemd.so, can set session scope limits using the PAM context
149 objects. The data for these objects is provided as NUL-terminated C
150 strings and maps directly to the respective unit resource control
151 directives. Note that these limits apply to individual sessions of the
152 user, they do not apply to all user processes as a combined whole. In
153 particular, the per-user user@.service unit instance, which runs the
154 systemd --user manager process and its children, and is tracked outside
155 of any session, being shared by all the user's sessions, is not covered
156 by these limits.
157 See systemd.resource-control(5) for more information about the
159 resources. Also, see pam_set_data(3) for additional information about
160 how to set the context objects.
161 systemd.memory_max
163 Sets unit MemoryMax=.
164 systemd.tasks_max
166 Sets unit TasksMax=.
167 systemd.cpu_weight
169 Sets unit CPUWeight=.
170 systemd.io_weight
172 Sets unit IOWeight=.
173 Example data as can be provided from an another PAM module:
175 pam_set_data(handle, "systemd.memory_max", (void *)"200M", cleanup);
177 pam_set_data(handle, "systemd.tasks_max", (void *)"50", cleanup);
178 pam_set_data(handle, "systemd.cpu_weight", (void *)"100", cleanup);
179 pam_set_data(handle, "systemd.io_weight", (void *)"340", cleanup);
180
184 #%PAM-1.0
185 auth required pam_unix.so
186 auth required pam_nologin.so
187 account required pam_unix.so
188 password required pam_unix.so
189 session required pam_unix.so
190 session required pam_loginuid.so
191 session required pam_systemd.so
192
194 systemd(1), systemd-logind.service(8), logind.conf(5), loginctl(1),
195 pam.conf(5), pam.d(5), pam(8), pam_loginuid(8), systemd.scope(5),
196 systemd.slice(5), systemd.service(5)
197
199 1. Desktop Entry Specification
200 http://standards.freedesktop.org/desktop-entry-spec/latest/
201 2. XDG Base Directory Specification
203 http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
204systemd 243 PAM_SYSTEMD(8)