1PAM_SYSTEMD(8)                    pam_systemd                   PAM_SYSTEMD(8)
2
3
4

NAME

6       pam_systemd - Register user sessions in the systemd login manager
7

SYNOPSIS

9       pam_systemd.so
10

DESCRIPTION

12       pam_systemd registers user sessions with the systemd login manager
13       systemd-logind.service(8), and hence the systemd control group
14       hierarchy.
15
16       On login, this module — in conjunction with systemd-logind.service —
17       ensures the following:
18
19        1. If it does not exist yet, the user runtime directory /run/user/$UID
20           is either created or mounted as new "tmpfs" file system with quota
21           applied, and its ownership changed to the user that is logging in.
22
23        2. The $XDG_SESSION_ID environment variable is initialized. If
24           auditing is available and pam_loginuid.so was run before this
25           module (which is highly recommended), the variable is initialized
26           from the auditing session id (/proc/self/sessionid). Otherwise, an
27           independent session counter is used.
28
29        3. A new systemd scope unit is created for the session. If this is the
30           first concurrent session of the user, an implicit per-user slice
31           unit below user.slice is automatically created and the scope placed
32           into it. An instance of the system service user@.service, which
33           runs the systemd user manager instance, is started.
34
35       On logout, this module ensures the following:
36
37        1. If enabled in logind.conf(5) (KillUserProcesses=), all processes of
38           the session are terminated. If the last concurrent session of a
39           user ends, the user's systemd instance will be terminated too, and
40           so will the user's slice unit.
41
42        2. If the last concurrent session of a user ends, the user runtime
43           directory /run/user/$UID and all its contents are removed, too.
44
45       If the system was not booted up with systemd as init system, this
46       module does nothing and immediately returns PAM_SUCCESS.
47

OPTIONS

49       The following options are understood:
50
51       class=
52           Takes a string argument which sets the session class. The
53           XDG_SESSION_CLASS environmental variable takes precedence. One of
54           "user", "greeter", "lock-screen" or "background". See
55           sd_session_get_class(3) for details about the session class.
56
57       type=
58           Takes a string argument which sets the session type. The
59           XDG_SESSION_TYPE environmental variable takes precedence. One of
60           "unspecified", "tty", "x11", "wayland" or "mir". See
61           sd_session_get_type(3) for details about the session type.
62
63       debug[=]
64           Takes an optional boolean argument. If yes or without the argument,
65           the module will log debugging information as it operates.
66

MODULE TYPES PROVIDED

68       Only session is provided.
69

ENVIRONMENT

71       The following environment variables are set for the processes of the
72       user's session:
73
74       $XDG_SESSION_ID
75           A session identifier, suitable to be used in filenames. The string
76           itself should be considered opaque, although often it is just the
77           audit session ID as reported by /proc/self/sessionid. Each ID will
78           be assigned only once during machine uptime. It may hence be used
79           to uniquely label files or other resources of this session.
80
81       $XDG_RUNTIME_DIR
82           Path to a user-private user-writable directory that is bound to the
83           user login time on the machine. It is automatically created the
84           first time a user logs in and removed on the user's final logout.
85           If a user logs in twice at the same time, both sessions will see
86           the same $XDG_RUNTIME_DIR and the same contents. If a user logs in
87           once, then logs out again, and logs in again, the directory
88           contents will have been lost in between, but applications should
89           not rely on this behavior and must be able to deal with stale
90           files. To store session-private data in this directory, the user
91           should include the value of $XDG_SESSION_ID in the filename. This
92           directory shall be used for runtime file system objects such as
93           AF_UNIX sockets, FIFOs, PID files and similar. It is guaranteed
94           that this directory is local and offers the greatest possible file
95           system feature set the operating system provides. For further
96           details, see the XDG Base Directory Specification[1].
97           $XDG_RUNTIME_DIR is not set if the current user is not the original
98           user of the session.
99
100       The following environment variables are read by the module and may be
101       used by the PAM service to pass metadata to the module:
102
103       $XDG_SESSION_TYPE
104           The session type. This may be used instead of session= on the
105           module parameter line, and is usually preferred.
106
107       $XDG_SESSION_CLASS
108           The session class. This may be used instead of class= on the module
109           parameter line, and is usually preferred.
110
111       $XDG_SESSION_DESKTOP
112           A single, short identifier string for the desktop environment. This
113           may be used to indicate the session desktop used, where this
114           applies and if this information is available. For example: "GNOME",
115           or "KDE". It is recommended to use the same identifiers and
116           capitalization as for $XDG_CURRENT_DESKTOP, as defined by the
117           Desktop Entry Specification[2]. (However, note that
118           $XDG_SESSION_DESKTOP only takes a single item, and not a
119           colon-separated list like $XDG_CURRENT_DESKTOP.) See
120           sd_session_get_desktop(3) for more details.
121
122       $XDG_SEAT
123           The seat name the session shall be registered for, if any.
124
125       $XDG_VTNR
126           The VT number the session shall be registered for, if any. (Only
127           applies to seats with a VT available, such as "seat0")
128
129       If not set, pam_systemd will determine the values for $XDG_SEAT and
130       $XDG_VTNR based on the $DISPLAY variable.
131

SESSION LIMITS

133       PAM modules earlier in the stack, that is those that come before
134       pam_systemd.so, can set session scope limits using the PAM context
135       objects. The data for these objects is provided as NUL-terminated C
136       strings and maps directly to the respective unit resource control
137       directives. Note that these limits apply to individual sessions of the
138       user, they do not apply to all user processes as a combined whole. In
139       particular, the per-user user@.service unit instance, which runs the
140       systemd --user manager process and its children, and is tracked outside
141       of any session, being shared by all the user's sessions, is not covered
142       by these limits.
143
144       See systemd.resource-control(5) for more information about the
145       resources. Also, see pam_set_data(3) for additional information about
146       how to set the context objects.
147
148       systemd.memory_max
149           Sets unit MemoryMax=.
150
151       systemd.tasks_max
152           Sets unit TasksMax=.
153
154       systemd.cpu_weight
155           Sets unit CPUWeight=.
156
157       systemd.io_weight
158           Sets unit IOWeight=.
159
160       Example data as can be provided from an another PAM module:
161
162           pam_set_data(handle, "systemd.memory_max", (void *)"200M", cleanup);
163           pam_set_data(handle, "systemd.tasks_max",  (void *)"50",   cleanup);
164           pam_set_data(handle, "systemd.cpu_weight", (void *)"100",  cleanup);
165           pam_set_data(handle, "systemd.io_weight",  (void *)"340",  cleanup);
166
167
168

EXAMPLE

170           #%PAM-1.0
171           auth       required     pam_unix.so
172           auth       required     pam_nologin.so
173           account    required     pam_unix.so
174           password   required     pam_unix.so
175           session    required     pam_unix.so
176           session    required     pam_loginuid.so
177           session    required     pam_systemd.so
178

SEE ALSO

180       systemd(1), systemd-logind.service(8), logind.conf(5), loginctl(1),
181       pam.conf(5), pam.d(5), pam(8), pam_loginuid(8), systemd.scope(5),
182       systemd.slice(5), systemd.service(5)
183

NOTES

185        1. XDG Base Directory Specification
186           http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
187
188        2. Desktop Entry Specification
189           http://standards.freedesktop.org/desktop-entry-spec/latest/
190
191
192
193systemd 239                                                     PAM_SYSTEMD(8)
Impressum