{
    "content": [
        {
            "type": "text",
            "text": "# PAM_SYSTEMD (info)\n\n## NAME\n\npamsystemd - Register user sessions in the systemd login manager\n\n## SYNOPSIS\n\npamsystemd.so\n\n## DESCRIPTION\n\npamsystemd registers user sessions with the systemd login manager\nsystemd-logind.service(8), and hence the systemd control group\nhierarchy.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **OPTIONS**\n- **MODULE TYPES PROVIDED**\n- **ENVIRONMENT**\n- **SESSION LIMITS**\n- **EXAMPLE**\n- **SEE ALSO**\n- **NOTES**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n"
        }
    ],
    "structuredContent": {
        "command": "PAM_SYSTEMD",
        "section": "",
        "mode": "info",
        "summary": "pamsystemd - Register user sessions in the systemd login manager",
        "synopsis": "pamsystemd.so",
        "tldr_summary": null,
        "tldr_examples": [],
        "tldr_source": null,
        "flags": [],
        "examples": [
            "Here's an example PAM configuration fragment that allows users sessions",
            "to be managed by systemd-logind.service:",
            "#%PAM-1.0",
            "auth      sufficient pamunix.so",
            "-auth     sufficient pamsystemdhome.so",
            "auth      required   pamdeny.so",
            "account   required   pamnologin.so",
            "-account  sufficient pamsystemdhome.so",
            "account   sufficient pamunix.so",
            "account   required   pampermit.so",
            "-password sufficient pamsystemdhome.so",
            "password  sufficient pamunix.so sha512 shadow tryfirstpass useauthtok",
            "password  required   pamdeny.so",
            "-session  optional   pamkeyinit.so revoke",
            "-session  optional   pamloginuid.so",
            "-session  optional   pamsystemdhome.so",
            "-session  optional   pamsystemd.so",
            "session   required   pamunix.so"
        ],
        "see_also": [
            {
                "name": "systemd",
                "section": "1",
                "url": "https://www.chedong.com/phpMan.php/man/systemd/1/json"
            },
            {
                "name": "systemd-logind.service",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/systemd-logind.service/8/json"
            },
            {
                "name": "logind.conf",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/logind.conf/5/json"
            },
            {
                "name": "loginctl",
                "section": "1",
                "url": "https://www.chedong.com/phpMan.php/man/loginctl/1/json"
            },
            {
                "name": "pamsystemdhome",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/pamsystemdhome/8/json"
            },
            {
                "name": "pam.conf",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/pam.conf/5/json"
            },
            {
                "name": "pam.d",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/pam.d/5/json"
            },
            {
                "name": "pam",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/pam/8/json"
            },
            {
                "name": "pamloginuid",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/pamloginuid/8/json"
            },
            {
                "name": "systemd.scope",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/systemd.scope/5/json"
            },
            {
                "name": "systemd.slice",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/systemd.slice/5/json"
            },
            {
                "name": "systemd.service",
                "section": "5",
                "url": "https://www.chedong.com/phpMan.php/man/systemd.service/5/json"
            }
        ],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "SYNOPSIS",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "DESCRIPTION",
                "lines": 46,
                "subsections": []
            },
            {
                "name": "OPTIONS",
                "lines": 32,
                "subsections": []
            },
            {
                "name": "MODULE TYPES PROVIDED",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "ENVIRONMENT",
                "lines": 64,
                "subsections": []
            },
            {
                "name": "SESSION LIMITS",
                "lines": 38,
                "subsections": []
            },
            {
                "name": "EXAMPLE",
                "lines": 24,
                "subsections": []
            },
            {
                "name": "SEE ALSO",
                "lines": 4,
                "subsections": []
            },
            {
                "name": "NOTES",
                "lines": 10,
                "subsections": []
            }
        ],
        "sections": {
            "NAME": {
                "content": "pamsystemd - Register user sessions in the systemd login manager\n",
                "subsections": []
            },
            "SYNOPSIS": {
                "content": "pamsystemd.so\n",
                "subsections": []
            },
            "DESCRIPTION": {
                "content": "pamsystemd registers user sessions with the systemd login manager\nsystemd-logind.service(8), and hence the systemd control group\nhierarchy.\n\nThe module also applies various resource management and runtime\nparameters to the new session, as configured in the JSON User\nRecords[1] of the user, when one is defined.\n\nOn login, this module -- in conjunction with systemd-logind.service --\nensures the following:\n\n1. If it does not exist yet, the user runtime directory /run/user/$UID\nis either created or mounted as new \"tmpfs\" file system with quota\napplied, and its ownership changed to the user that is logging in.\n\n2. The $XDGSESSIONID environment variable is initialized. If\nauditing is available and pamloginuid.so was run before this\nmodule (which is highly recommended), the variable is initialized\nfrom the auditing session id (/proc/self/sessionid). Otherwise, an\nindependent session counter is used.\n\n3. A new systemd scope unit is created for the session. If this is the\nfirst concurrent session of the user, an implicit per-user slice\nunit below user.slice is automatically created and the scope placed\ninto it. An instance of the system service user@.service, which\nruns the systemd user manager instance, is started.\n\n4. The \"$TZ\", \"$EMAIL\" and \"$LANG\" environment variables are\nconfigured for the user, based on the respective data from the\nuser's JSON record (if it is defined). Moreover, any environment\nvariables explicitly configured in the user record are imported,\nand the umask, nice level, and resource limits initialized.\n\nOn logout, this module ensures the following:\n\n1. If enabled in logind.conf(5) (KillUserProcesses=), all processes of\nthe session are terminated. If the last concurrent session of a\nuser ends, the user's systemd instance will be terminated too, and\nso will the user's slice unit.\n\n2. If the last concurrent session of a user ends, the user runtime\ndirectory /run/user/$UID and all its contents are removed, too.\n\nIf the system was not booted up with systemd as init system, this\nmodule does nothing and immediately returns PAMSUCCESS.\n",
                "subsections": []
            },
            "OPTIONS": {
                "content": "The following options are understood:\n\nclass=\nTakes a string argument which sets the session class. The\nXDGSESSIONCLASS environment variable (see below) takes\nprecedence. One of \"user\", \"greeter\", \"lock-screen\" or\n\"background\". See sdsessiongetclass(3) for details about the\nsession class.\n\ntype=\nTakes a string argument which sets the session type. The\nXDGSESSIONTYPE environment variable (see below) takes precedence.\nOne of \"unspecified\", \"tty\", \"x11\", \"wayland\" or \"mir\". See\nsdsessiongettype(3) for details about the session type.\n\ndesktop=\nTakes a single, short identifier string for the desktop\nenvironment. The XDGSESSIONDESKTOP environment variable (see\nbelow) takes precedence. This may be used to indicate the session\ndesktop used, where this applies and if this information is\navailable. For example: \"GNOME\", or \"KDE\". It is recommended to use\nthe same identifiers and capitalization as for\n$XDGCURRENTDESKTOP, as defined by the Desktop Entry\nSpecification[2]. (However, note that the option only takes a\nsingle item, and not a colon-separated list like\n$XDGCURRENTDESKTOP.) See sdsessiongetdesktop(3) for further\ndetails.\n\ndebug[=]\nTakes an optional boolean argument. If yes or without the argument,\nthe module will log debugging information as it operates.\n",
                "subsections": []
            },
            "MODULE TYPES PROVIDED": {
                "content": "Only session is provided.\n",
                "subsections": []
            },
            "ENVIRONMENT": {
                "content": "The following environment variables are initialized by the module and\navailable to the processes of the user's session:\n\n$XDGSESSIONID\nA short session identifier, suitable to be used in filenames. The\nstring itself should be considered opaque, although often it is\njust the audit session ID as reported by /proc/self/sessionid. Each\nID will be assigned only once during machine uptime. It may hence\nbe used to uniquely label files or other resources of this session.\nCombine this ID with the boot identifier, as returned by\nsdid128getboot(3), for a globally unique identifier.\n\n$XDGRUNTIMEDIR\nPath to a user-private user-writable directory that is bound to the\nuser login time on the machine. It is automatically created the\nfirst time a user logs in and removed on the user's final logout.\nIf a user logs in twice at the same time, both sessions will see\nthe same $XDGRUNTIMEDIR and the same contents. If a user logs in\nonce, then logs out again, and logs in again, the directory\ncontents will have been lost in between, but applications should\nnot rely on this behavior and must be able to deal with stale\nfiles. To store session-private data in this directory, the user\nshould include the value of $XDGSESSIONID in the filename. This\ndirectory shall be used for runtime file system objects such as\nAFUNIX sockets, FIFOs, PID files and similar. It is guaranteed\nthat this directory is local and offers the greatest possible file\nsystem feature set the operating system provides. For further\ndetails, see the XDG Base Directory Specification[3].\n$XDGRUNTIMEDIR is not set if the current user is not the original\nuser of the session.\n\n$TZ, $EMAIL, $LANG\nIf a JSON user record is known for the user logging in these\nvariables are initialized from the respective data in the record.\n\nThe following environment variables are read by the module and may be\nused by the PAM service to pass metadata to the module. If these\nvariables are not set when the PAM module is invoked but can be\ndetermined otherwise they are set by the module, so that these\nvariables are initialized for the session and applications if known at\nall.\n\n$XDGSESSIONTYPE\nThe session type. This may be used instead of type= on the module\nparameter line, and is usually preferred.\n\n$XDGSESSIONCLASS\nThe session class. This may be used instead of class= on the module\nparameter line, and is usually preferred.\n\n$XDGSESSIONDESKTOP\nThe desktop identifier. This may be used instead of desktop= on the\nmodule parameter line, and is usually preferred.\n\n$XDGSEAT\nThe seat name the session shall be registered for, if any.\n\n$XDGVTNR\nThe VT number the session shall be registered for, if any. (Only\napplies to seats with a VT available, such as \"seat0\")\n\nIf not set, pamsystemd will initialize $XDGSEAT and $XDGVTNR based\non the $DISPLAY variable (if the latter is set).\n",
                "subsections": []
            },
            "SESSION LIMITS": {
                "content": "PAM modules earlier in the stack, that is those that come before\npamsystemd.so, can set session scope limits using the PAM context\nobjects. The data for these objects is provided as NUL-terminated C\nstrings and maps directly to the respective unit resource control\ndirectives. Note that these limits apply to individual sessions of the\nuser, they do not apply to all user processes as a combined whole. In\nparticular, the per-user user@.service unit instance, which runs the\nsystemd --user manager process and its children, and is tracked outside\nof any session, being shared by all the user's sessions, is not covered\nby these limits.\n\nSee systemd.resource-control(5) for more information about the\nresources. Also, see pamsetdata(3) for additional information about\nhow to set the context objects.\n\nsystemd.memorymax=\nSets unit MemoryMax=.\n\nsystemd.tasksmax=\nSets unit TasksMax=.\n\nsystemd.cpuweight=\nSets unit CPUWeight=.\n\nsystemd.ioweight=\nSets unit IOWeight=.\n\nsystemd.runtimemaxsec=\nSets unit RuntimeMaxSec=.\n\nExample data as can be provided from an another PAM module:\n\npamsetdata(handle, \"systemd.memorymax\", (void *)\"200M\", cleanup);\npamsetdata(handle, \"systemd.tasksmax\",  (void *)\"50\",   cleanup);\npamsetdata(handle, \"systemd.cpuweight\", (void *)\"100\",  cleanup);\npamsetdata(handle, \"systemd.ioweight\",  (void *)\"340\",  cleanup);\npamsetdata(handle, \"systemd.runtimemaxsec\", (void *)\"3600\", cleanup);\n",
                "subsections": []
            },
            "EXAMPLE": {
                "content": "Here's an example PAM configuration fragment that allows users sessions\nto be managed by systemd-logind.service:\n\n#%PAM-1.0\nauth      sufficient pamunix.so\n-auth     sufficient pamsystemdhome.so\nauth      required   pamdeny.so\n\naccount   required   pamnologin.so\n-account  sufficient pamsystemdhome.so\naccount   sufficient pamunix.so\naccount   required   pampermit.so\n\n-password sufficient pamsystemdhome.so\npassword  sufficient pamunix.so sha512 shadow tryfirstpass useauthtok\n\npassword  required   pamdeny.so\n\n-session  optional   pamkeyinit.so revoke\n-session  optional   pamloginuid.so\n-session  optional   pamsystemdhome.so\n-session  optional   pamsystemd.so\nsession   required   pamunix.so\n",
                "subsections": []
            },
            "SEE ALSO": {
                "content": "systemd(1), systemd-logind.service(8), logind.conf(5), loginctl(1),\npamsystemdhome(8), pam.conf(5), pam.d(5), pam(8), pamloginuid(8),\nsystemd.scope(5), systemd.slice(5), systemd.service(5)\n",
                "subsections": []
            },
            "NOTES": {
                "content": "1. JSON User Records\nhttps://systemd.io/USERRECORD\n\n2. Desktop Entry Specification\nhttp://standards.freedesktop.org/desktop-entry-spec/latest/\n\n3. XDG Base Directory Specification\nhttp://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html\n\nsystemd 249                                                     PAMSYSTEMD(8)",
                "subsections": []
            }
        }
    }
}