1PAM_SYSTEMD(8) pam_systemd PAM_SYSTEMD(8)
2
6 pam_systemd - Register user sessions in the systemd control group
7 hierarchy
8
10 pam_systemd.so
11
13 pam_systemd registers user sessions in the systemd control group
14 hierarchy.
15 On login, this module ensures the following:
17 1. If it does not exist yet, the user runtime directory
19 /var/run/user/$USER is created and its ownership changed to the
20 user that is logging in.
21 2. If create-session=1 is set, the $XDG_SESSION_ID environment
23 variable is initialized. If auditing is available and
24 pam_loginuid.so run before this module (which is highly
25 recommended), the variable is initialized from the auditing session
26 id (/proc/self/sessionid). Otherwise an independent session counter
27 is used.
28 3. If create-session=1 is set, a new control group
30 /user/$USER/$XDG_SESSION_ID is created and the login process moved
31 into it.
32 4. If create-session=0 is set, a new control group
34 /user/$USER/no-session is created and the login process moved into
35 it.
36 On logout, this module ensures the following:
38 1. If $XDG_SESSION_ID is set and kill-session=1 specified, all
40 remaining processes in the /user/$USER/$XDG_SESSION_ID control
41 group are killed and the control group is removed.
42 2. If $XDG_SESSION_ID is set and kill-session=0 specified, all
44 remaining processes in the /user/$USER/$XDG_SESSION_ID control
45 group are migrated to /user/$USER/no-session and the original
46 control group is removed.
47 3. If kill-user=1 is specified, and no other user session control
49 group remains, except /user/$USER/no-session, all remaining
50 processes in the /user/$USER hierarchy are killed and the control
51 group is removed.
52 4. If kill-user=0 is specified, and no process remains in the
54 /user/$USER hierarchy the control group is removed.
55 5. If the /user/$USER control group was removed the $XDG_RUNTIME_DIR
57 directory and all its contents are removed, too.
58 If the system was not booted up with systemd as init system, this
60 module does nothing and immediately returns PAM_SUCCESS.
61
63 The following options are understood:
64 create-session=
66 Takes a boolean argument. If true, a new session is created: the
67 $XDG_SESSION_ID environment variable is set and the login process
68 moved to the /user/$USER/$XDG_SESSION_ID control group. It is
69 recommended that all services which are directly created on the
70 user´s behalf set this option. Only for services that shall
71 automatically be terminated when the user logs out completely,
72 otherwise create-session=0 should be set.
73 kill-session=
75 Takes a boolean argument. If true, all processes created by the
76 user during his session and from his session will be terminated
77 when he logs out from his session.
78 kill-user=
80 Takes a boolean argument. If true, all processes created by the
81 user during his session and from his session will be terminated
82 after he logged out completely. This is a weaker version of
83 kill-session=1 and is more friendly for users logged in more than
84 once, as their processes are terminated only on their complete
85 logout.
86 Note that setting kill-user=1 or even kill-session=1 will break tools
88 like screen(1).
89 If the options are omitted they default to create-session=1,
91 kill-session=0, kill-user=0.
92
94 Only session is provided.
95
97 The following environment variables are set for the processes of the
98 user´s session:
99 $XDG_SESSION_ID
101 A session identifier, suitable to be used in file names. The string
102 itself should be considered opaque, although often it is just the
103 audit session ID as reported by /proc/self/sessionid. Each ID will
104 be assigned only once during machine uptime. It may hence be used
105 to uniquely label files or other resources of this session.
106 $XDG_RUNTIME_DIR
108 Path to a user-private user-writable directory that is bound to the
109 user login time on the machine. It is automatically created the
110 first time a user logs in and removed on his final logout. If a
111 user logs in twice at the same time, both sessions will see the
112 same $XDG_RUNTIME_DIR and the same contents. If a user logs in
113 once, then logs out again, and logs in again, the directory
114 contents will have been lost in between, but applications should
115 not rely on this behaviour and must be able to deal with stale
116 files. To store session-private data in this directory the user
117 should include the value of $XDG_SESSION_ID in the filename. This
118 directory shall be used for runtime file system objects such as
119 AF_UNIX sockets, FIFOs, PID files and similar. It is guaranteed
120 that this directory is local and offers the greatest possible file
121 system feature set the operating system provides.
122
124 #%PAM-1.0
125 auth required pam_unix.so
126 auth required pam_nologin.so
127 account required pam_unix.so
128 password required pam_unix.so
129 session required pam_unix.so
130 session required pam_loginuid.so
131 session required pam_systemd.so kill-user=1
132
134 pam.conf(5), pam.d(5), pam(8), pam_loginuid(8), systemd(1)
135
137 Lennart Poettering <lennart@poettering.net>
138 Developer
139systemd 09/14/2010 PAM_SYSTEMD(8)