1PAM_SYSTEMD(8) pam_systemd PAM_SYSTEMD(8)
2
6 pam_systemd - Register user sessions in the systemd login manager
7
9 pam_systemd.so
10
12 pam_systemd registers user sessions with the systemd login manager
13 systemd-logind.service(8), and hence the systemd control group
14 hierarchy.
15 On login, this module ensures the following:
17 1. If it does not exist yet, the user runtime directory
19 /run/user/$USER is created and its ownership changed to the user
20 that is logging in.
21 2. The $XDG_SESSION_ID environment variable is initialized. If
23 auditing is available and pam_loginuid.so was run before this
24 module (which is highly recommended), the variable is initialized
25 from the auditing session id (/proc/self/sessionid). Otherwise, an
26 independent session counter is used.
27 3. A new systemd scope unit is created for the session. If this is the
29 first concurrent session of the user, an implicit slice below
30 user.slice is automatically created and the scope placed into it.
31 On logout, this module ensures the following:
33 1. If enabled in logind.conf(5), all processes of the session are
35 terminated. If the last concurrent session of a user ends, the
36 user's slice unit will be terminated too.
37 2. If the last concurrent session of a user ends, the $XDG_RUNTIME_DIR
39 directory and all its contents are removed, too.
40 If the system was not booted up with systemd as init system, this
42 module does nothing and immediately returns PAM_SUCCESS.
43
45 The following options are understood:
46 class=
48 Takes a string argument which sets the session class. The
49 XDG_SESSION_CLASS environmental variable takes precedence. One of
50 "user", "greeter", "lock-screen" or "background". See
51 sd_session_get_class(3) for details about the session class.
52 type=
54 Takes a string argument which sets the session type. The
55 XDG_SESSION_TYPE environmental variable takes precedence. One of
56 "unspecified", "tty", "x11", "wayland" or "mir". See
57 sd_session_get_type(3) for details about the session type.
58 debug[=]
60 Takes an optional boolean argument. If yes or without the argument,
61 the module will log debugging information as it operates.
62
64 Only session is provided.
65
67 The following environment variables are set for the processes of the
68 user's session:
69 $XDG_SESSION_ID
71 A session identifier, suitable to be used in filenames. The string
72 itself should be considered opaque, although often it is just the
73 audit session ID as reported by /proc/self/sessionid. Each ID will
74 be assigned only once during machine uptime. It may hence be used
75 to uniquely label files or other resources of this session.
76 $XDG_RUNTIME_DIR
78 Path to a user-private user-writable directory that is bound to the
79 user login time on the machine. It is automatically created the
80 first time a user logs in and removed on the user's final logout.
81 If a user logs in twice at the same time, both sessions will see
82 the same $XDG_RUNTIME_DIR and the same contents. If a user logs in
83 once, then logs out again, and logs in again, the directory
84 contents will have been lost in between, but applications should
85 not rely on this behavior and must be able to deal with stale
86 files. To store session-private data in this directory, the user
87 should include the value of $XDG_SESSION_ID in the filename. This
88 directory shall be used for runtime file system objects such as
89 AF_UNIX sockets, FIFOs, PID files and similar. It is guaranteed
90 that this directory is local and offers the greatest possible file
91 system feature set the operating system provides. For further
92 details see the XDG Base Directory Specification[1].
93 The following environment variables are read by the module and may be
95 used by the PAM service to pass metadata to the module:
96 $XDG_SESSION_TYPE
98 The session type. This may be used instead of session= on the
99 module parameter line, and is usually preferred.
100 $XDG_SESSION_CLASS
102 The session class. This may be used instead of class= on the module
103 parameter line, and is usually preferred.
104 $XDG_SESSION_DESKTOP
106 A single, short identifier string for the desktop environment. This
107 may be used to indicate the session desktop used, where this
108 applies and if this information is available. For example: "GNOME",
109 or "KDE". It is recommended to use the same identifiers and
110 capitalization as for $XDG_CURRENT_DESKTOP, as defined by the
111 Desktop Entry Specification[2]. (However, note that
112 $XDG_SESSION_DESKTOP only takes a single item, and not a
113 colon-separated list like $XDG_CURRENT_DESKTOP.) See
114 sd_session_get_desktop(3) for more details.
115 $XDG_SEAT
117 The seat name the session shall be registered for, if any.
118 $XDG_VTNR
120 The VT number the session shall be registered for, if any. (Only
121 applies to seats with a VT available, such as "seat0")
122
124 #%PAM-1.0
125 auth required pam_unix.so
126 auth required pam_nologin.so
127 account required pam_unix.so
128 password required pam_unix.so
129 session required pam_unix.so
130 session required pam_loginuid.so
131 session required pam_systemd.so
132
134 systemd(1), systemd-logind.service(8), logind.conf(5), loginctl(1),
135 pam.conf(5), pam.d(5), pam(8), pam_loginuid(8), systemd.scope(5),
136 systemd.slice(5), systemd.service(5)
137
139 1. XDG Base Directory Specification
140 http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
141 2. Desktop Entry Specification
143 http://standards.freedesktop.org/desktop-entry-spec/latest/
144systemd 219 PAM_SYSTEMD(8)