1PAM_SYSTEMD(8)                    pam_systemd                   PAM_SYSTEMD(8)
2
3
4

NAME

6       pam_systemd - Register user sessions in the systemd login manager
7

SYNOPSIS

9       pam_systemd.so
10

DESCRIPTION

12       pam_systemd registers user sessions with the systemd login manager
13       systemd-logind.service(8), and hence the systemd control group
14       hierarchy.
15
16       On login, this module — in conjunction with systemd-logind.service —
17       ensures the following:
18
19        1. If it does not exist yet, the user runtime directory /run/user/$UID
20           is either created or mounted as new "tmpfs" file system with quota
21           applied, and its ownership changed to the user that is logging in.
22
23        2. The $XDG_SESSION_ID environment variable is initialized. If
24           auditing is available and pam_loginuid.so was run before this
25           module (which is highly recommended), the variable is initialized
26           from the auditing session id (/proc/self/sessionid). Otherwise, an
27           independent session counter is used.
28
29        3. A new systemd scope unit is created for the session. If this is the
30           first concurrent session of the user, an implicit per-user slice
31           unit below user.slice is automatically created and the scope placed
32           into it. An instance of the system service user@.service, which
33           runs the systemd user manager instance, is started.
34
35       On logout, this module ensures the following:
36
37        1. If enabled in logind.conf(5) (KillUserProcesses=), all processes of
38           the session are terminated. If the last concurrent session of a
39           user ends, the user's systemd instance will be terminated too, and
40           so will the user's slice unit.
41
42        2. If the last concurrent session of a user ends, the user runtime
43           directory /run/user/$UID and all its contents are removed, too.
44
45       If the system was not booted up with systemd as init system, this
46       module does nothing and immediately returns PAM_SUCCESS.
47

OPTIONS

49       The following options are understood:
50
51       class=
52           Takes a string argument which sets the session class. The
53           XDG_SESSION_CLASS environment variable (see below) takes
54           precedence. One of "user", "greeter", "lock-screen" or
55           "background". See sd_session_get_class(3) for details about the
56           session class.
57
58       type=
59           Takes a string argument which sets the session type. The
60           XDG_SESSION_TYPE environment variable (see below) takes precedence.
61           One of "unspecified", "tty", "x11", "wayland" or "mir". See
62           sd_session_get_type(3) for details about the session type.
63
64       desktop=
65           Takes a single, short identifier string for the desktop
66           environment. The XDG_SESSION_DESKTOP environment variable (see
67           below) takes precedence. This may be used to indicate the session
68           desktop used, where this applies and if this information is
69           available. For example: "GNOME", or "KDE". It is recommended to use
70           the same identifiers and capitalization as for
71           $XDG_CURRENT_DESKTOP, as defined by the Desktop Entry
72           Specification[1]. (However, note that the option only takes a
73           single item, and not a colon-separated list like
74           $XDG_CURRENT_DESKTOP.) See sd_session_get_desktop(3) for further
75           details.
76
77       debug[=]
78           Takes an optional boolean argument. If yes or without the argument,
79           the module will log debugging information as it operates.
80

MODULE TYPES PROVIDED

82       Only session is provided.
83

ENVIRONMENT

85       The following environment variables are initialized by the module and
86       available to the processes of the user's session:
87
88       $XDG_SESSION_ID
89           A short session identifier, suitable to be used in filenames. The
90           string itself should be considered opaque, although often it is
91           just the audit session ID as reported by /proc/self/sessionid. Each
92           ID will be assigned only once during machine uptime. It may hence
93           be used to uniquely label files or other resources of this session.
94           Combine this ID with the boot identifier, as returned by
95           sd_id128_get_boot(3), for a globally unique identifier for the
96           current session.
97
98       $XDG_RUNTIME_DIR
99           Path to a user-private user-writable directory that is bound to the
100           user login time on the machine. It is automatically created the
101           first time a user logs in and removed on the user's final logout.
102           If a user logs in twice at the same time, both sessions will see
103           the same $XDG_RUNTIME_DIR and the same contents. If a user logs in
104           once, then logs out again, and logs in again, the directory
105           contents will have been lost in between, but applications should
106           not rely on this behavior and must be able to deal with stale
107           files. To store session-private data in this directory, the user
108           should include the value of $XDG_SESSION_ID in the filename. This
109           directory shall be used for runtime file system objects such as
110           AF_UNIX sockets, FIFOs, PID files and similar. It is guaranteed
111           that this directory is local and offers the greatest possible file
112           system feature set the operating system provides. For further
113           details, see the XDG Base Directory Specification[2].
114           $XDG_RUNTIME_DIR is not set if the current user is not the original
115           user of the session.
116
117       The following environment variables are read by the module and may be
118       used by the PAM service to pass metadata to the module. If these
119       variables are not set when the PAM module is invoked but can be
120       determined otherwise they are set by the module, so that these
121       variables are initialized for the session and applications if known at
122       all.
123
124       $XDG_SESSION_TYPE
125           The session type. This may be used instead of type= on the module
126           parameter line, and is usually preferred.
127
128       $XDG_SESSION_CLASS
129           The session class. This may be used instead of class= on the module
130           parameter line, and is usually preferred.
131
132       $XDG_SESSION_DESKTOP
133           The desktop identifier. This may be used instead of desktop= on the
134           module parameter line, and is usually preferred.
135
136       $XDG_SEAT
137           The seat name the session shall be registered for, if any.
138
139       $XDG_VTNR
140           The VT number the session shall be registered for, if any. (Only
141           applies to seats with a VT available, such as "seat0")
142
143       If not set, pam_systemd will initialize $XDG_SEAT and $XDG_VTNR based
144       on the $DISPLAY variable (if the latter is set).
145

SESSION LIMITS

147       PAM modules earlier in the stack, that is those that come before
148       pam_systemd.so, can set session scope limits using the PAM context
149       objects. The data for these objects is provided as NUL-terminated C
150       strings and maps directly to the respective unit resource control
151       directives. Note that these limits apply to individual sessions of the
152       user, they do not apply to all user processes as a combined whole. In
153       particular, the per-user user@.service unit instance, which runs the
154       systemd --user manager process and its children, and is tracked outside
155       of any session, being shared by all the user's sessions, is not covered
156       by these limits.
157
158       See systemd.resource-control(5) for more information about the
159       resources. Also, see pam_set_data(3) for additional information about
160       how to set the context objects.
161
162       systemd.memory_max
163           Sets unit MemoryMax=.
164
165       systemd.tasks_max
166           Sets unit TasksMax=.
167
168       systemd.cpu_weight
169           Sets unit CPUWeight=.
170
171       systemd.io_weight
172           Sets unit IOWeight=.
173
174       Example data as can be provided from an another PAM module:
175
176           pam_set_data(handle, "systemd.memory_max", (void *)"200M", cleanup);
177           pam_set_data(handle, "systemd.tasks_max",  (void *)"50",   cleanup);
178           pam_set_data(handle, "systemd.cpu_weight", (void *)"100",  cleanup);
179           pam_set_data(handle, "systemd.io_weight",  (void *)"340",  cleanup);
180
181
182

EXAMPLE

184           #%PAM-1.0
185           auth       required     pam_unix.so
186           auth       required     pam_nologin.so
187           account    required     pam_unix.so
188           password   required     pam_unix.so
189           session    required     pam_unix.so
190           session    required     pam_loginuid.so
191           session    required     pam_systemd.so
192

SEE ALSO

194       systemd(1), systemd-logind.service(8), logind.conf(5), loginctl(1),
195       pam.conf(5), pam.d(5), pam(8), pam_loginuid(8), systemd.scope(5),
196       systemd.slice(5), systemd.service(5)
197

NOTES

199        1. Desktop Entry Specification
200           http://standards.freedesktop.org/desktop-entry-spec/latest/
201
202        2. XDG Base Directory Specification
203           http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
204
205
206
207systemd 243                                                     PAM_SYSTEMD(8)
Impressum