{ "content": [ { "type": "text", "text": "# PAM_SYSTEMD (man)\n\n## NAME\n\npamsystemd - Register user sessions in the systemd login manager\n\n## SYNOPSIS\n\npamsystemd.so\n\n## DESCRIPTION\n\npamsystemd registers user sessions with the systemd login manager systemd-logind.service(8),\nand hence the systemd control group hierarchy.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **OPTIONS**\n- **MODULE TYPES PROVIDED**\n- **ENVIRONMENT**\n- **SESSION LIMITS**\n- **EXAMPLE**\n- **SEE ALSO**\n- **NOTES**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "PAM_SYSTEMD", "section": "", "mode": "man", "summary": "pamsystemd - Register user sessions in the systemd login manager", "synopsis": "pamsystemd.so", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [ "Here's an example PAM configuration fragment that allows users sessions to be managed by", "systemd-logind.service:", "#%PAM-1.0", "auth sufficient pamunix.so", "-auth sufficient pamsystemdhome.so", "auth required pamdeny.so", "account required pamnologin.so", "-account sufficient pamsystemdhome.so", "account sufficient pamunix.so", "account required pampermit.so", "-password sufficient pamsystemdhome.so", "password sufficient pamunix.so sha512 shadow tryfirstpass useauthtok", "password required pamdeny.so", "-session optional pamkeyinit.so revoke", "-session optional pamloginuid.so", "-session optional pamsystemdhome.so", "-session optional pamsystemd.so", "session required pamunix.so" ], "see_also": [ { "name": "systemd", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/systemd/1/json" }, { "name": "systemd-logind.service", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/systemd-logind.service/8/json" }, { "name": "logind.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/logind.conf/5/json" }, { "name": "loginctl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/loginctl/1/json" }, { "name": "pamsystemdhome", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/pamsystemdhome/8/json" }, { "name": "pam.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.conf/5/json" }, { "name": "pam.d", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/pam.d/5/json" }, { "name": "pam", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/pam/8/json" }, { "name": "pamloginuid", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/pamloginuid/8/json" }, { "name": "systemd.scope", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/systemd.scope/5/json" }, { "name": "systemd.slice", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/systemd.slice/5/json" }, { "name": "systemd.service", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/systemd.service/5/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 39, "subsections": [] }, { "name": "OPTIONS", "lines": 26, "subsections": [] }, { "name": "MODULE TYPES PROVIDED", "lines": 2, "subsections": [] }, { "name": "ENVIRONMENT", "lines": 56, "subsections": [] }, { "name": "SESSION LIMITS", "lines": 37, "subsections": [] }, { "name": "EXAMPLE", "lines": 24, "subsections": [] }, { "name": "SEE ALSO", "lines": 4, "subsections": [] }, { "name": "NOTES", "lines": 12, "subsections": [] } ], "sections": { "NAME": { "content": "pamsystemd - Register user sessions in the systemd login manager\n", "subsections": [] }, "SYNOPSIS": { "content": "pamsystemd.so\n", "subsections": [] }, "DESCRIPTION": { "content": "pamsystemd registers user sessions with the systemd login manager systemd-logind.service(8),\nand hence the systemd control group hierarchy.\n\nThe module also applies various resource management and runtime parameters to the new\nsession, as configured in the JSON User Records[1] of the user, when one is defined.\n\nOn login, this module — in conjunction with systemd-logind.service — ensures the following:\n\n1. If it does not exist yet, the user runtime directory /run/user/$UID is either created or\nmounted as new \"tmpfs\" file system with quota applied, and its ownership changed to the\nuser that is logging in.\n\n2. The $XDGSESSIONID environment variable is initialized. If auditing is available and\npamloginuid.so was run before this module (which is highly recommended), the variable is\ninitialized from the auditing session id (/proc/self/sessionid). Otherwise, an\nindependent session counter is used.\n\n3. A new systemd scope unit is created for the session. If this is the first concurrent\nsession of the user, an implicit per-user slice unit below user.slice is automatically\ncreated and the scope placed into it. An instance of the system service user@.service,\nwhich runs the systemd user manager instance, is started.\n\n4. The \"$TZ\", \"$EMAIL\" and \"$LANG\" environment variables are configured for the user, based\non the respective data from the user's JSON record (if it is defined). Moreover, any\nenvironment variables explicitly configured in the user record are imported, and the\numask, nice level, and resource limits initialized.\n\nOn logout, this module ensures the following:\n\n1. If enabled in logind.conf(5) (KillUserProcesses=), all processes of the session are\nterminated. If the last concurrent session of a user ends, the user's systemd instance\nwill be terminated too, and so will the user's slice unit.\n\n2. If the last concurrent session of a user ends, the user runtime directory /run/user/$UID\nand all its contents are removed, too.\n\nIf the system was not booted up with systemd as init system, this module does nothing and\nimmediately returns PAMSUCCESS.\n", "subsections": [] }, "OPTIONS": { "content": "The following options are understood:\n\nclass=\nTakes a string argument which sets the session class. The XDGSESSIONCLASS environment\nvariable (see below) takes precedence. One of \"user\", \"greeter\", \"lock-screen\" or\n\"background\". See sdsessiongetclass(3) for details about the session class.\n\ntype=\nTakes a string argument which sets the session type. The XDGSESSIONTYPE environment\nvariable (see below) takes precedence. One of \"unspecified\", \"tty\", \"x11\", \"wayland\" or\n\"mir\". See sdsessiongettype(3) for details about the session type.\n\ndesktop=\nTakes a single, short identifier string for the desktop environment. The\nXDGSESSIONDESKTOP environment variable (see below) takes precedence. This may be used\nto indicate the session desktop used, where this applies and if this information is\navailable. For example: \"GNOME\", or \"KDE\". It is recommended to use the same identifiers\nand capitalization as for $XDGCURRENTDESKTOP, as defined by the Desktop Entry\nSpecification[2]. (However, note that the option only takes a single item, and not a\ncolon-separated list like $XDGCURRENTDESKTOP.) See sdsessiongetdesktop(3) for\nfurther details.\n\ndebug[=]\nTakes an optional boolean argument. If yes or without the argument, the module will log\ndebugging information as it operates.\n", "subsections": [] }, "MODULE TYPES PROVIDED": { "content": "Only session is provided.\n", "subsections": [] }, "ENVIRONMENT": { "content": "The following environment variables are initialized by the module and available to the\nprocesses of the user's session:\n\n$XDGSESSIONID\nA short session identifier, suitable to be used in filenames. The string itself should be\nconsidered opaque, although often it is just the audit session ID as reported by\n/proc/self/sessionid. Each ID will be assigned only once during machine uptime. It may\nhence be used to uniquely label files or other resources of this session. Combine this ID\nwith the boot identifier, as returned by sdid128getboot(3), for a globally unique\nidentifier.\n\n$XDGRUNTIMEDIR\nPath to a user-private user-writable directory that is bound to the user login time on\nthe machine. It is automatically created the first time a user logs in and removed on the\nuser's final logout. If a user logs in twice at the same time, both sessions will see the\nsame $XDGRUNTIMEDIR and the same contents. If a user logs in once, then logs out again,\nand logs in again, the directory contents will have been lost in between, but\napplications should not rely on this behavior and must be able to deal with stale files.\nTo store session-private data in this directory, the user should include the value of\n$XDGSESSIONID in the filename. This directory shall be used for runtime file system\nobjects such as AFUNIX sockets, FIFOs, PID files and similar. It is guaranteed that this\ndirectory is local and offers the greatest possible file system feature set the operating\nsystem provides. For further details, see the XDG Base Directory Specification[3].\n$XDGRUNTIMEDIR is not set if the current user is not the original user of the session.\n\n$TZ, $EMAIL, $LANG\nIf a JSON user record is known for the user logging in these variables are initialized\nfrom the respective data in the record.\n\nThe following environment variables are read by the module and may be used by the PAM service\nto pass metadata to the module. If these variables are not set when the PAM module is invoked\nbut can be determined otherwise they are set by the module, so that these variables are\ninitialized for the session and applications if known at all.\n\n$XDGSESSIONTYPE\nThe session type. This may be used instead of type= on the module parameter line, and is\nusually preferred.\n\n$XDGSESSIONCLASS\nThe session class. This may be used instead of class= on the module parameter line, and\nis usually preferred.\n\n$XDGSESSIONDESKTOP\nThe desktop identifier. This may be used instead of desktop= on the module parameter\nline, and is usually preferred.\n\n$XDGSEAT\nThe seat name the session shall be registered for, if any.\n\n$XDGVTNR\nThe VT number the session shall be registered for, if any. (Only applies to seats with a\nVT available, such as \"seat0\")\n\nIf not set, pamsystemd will initialize $XDGSEAT and $XDGVTNR based on the $DISPLAY\nvariable (if the latter is set).\n", "subsections": [] }, "SESSION LIMITS": { "content": "PAM modules earlier in the stack, that is those that come before pamsystemd.so, can set\nsession scope limits using the PAM context objects. The data for these objects is provided as\nNUL-terminated C strings and maps directly to the respective unit resource control\ndirectives. Note that these limits apply to individual sessions of the user, they do not\napply to all user processes as a combined whole. In particular, the per-user user@.service\nunit instance, which runs the systemd --user manager process and its children, and is tracked\noutside of any session, being shared by all the user's sessions, is not covered by these\nlimits.\n\nSee systemd.resource-control(5) for more information about the resources. Also, see\npamsetdata(3) for additional information about how to set the context objects.\n\nsystemd.memorymax=\nSets unit MemoryMax=.\n\nsystemd.tasksmax=\nSets unit TasksMax=.\n\nsystemd.cpuweight=\nSets unit CPUWeight=.\n\nsystemd.ioweight=\nSets unit IOWeight=.\n\nsystemd.runtimemaxsec=\nSets unit RuntimeMaxSec=.\n\nExample data as can be provided from an another PAM module:\n\npamsetdata(handle, \"systemd.memorymax\", (void *)\"200M\", cleanup);\npamsetdata(handle, \"systemd.tasksmax\", (void *)\"50\", cleanup);\npamsetdata(handle, \"systemd.cpuweight\", (void *)\"100\", cleanup);\npamsetdata(handle, \"systemd.ioweight\", (void *)\"340\", cleanup);\npamsetdata(handle, \"systemd.runtimemaxsec\", (void *)\"3600\", cleanup);\n\n\n", "subsections": [] }, "EXAMPLE": { "content": "Here's an example PAM configuration fragment that allows users sessions to be managed by\nsystemd-logind.service:\n\n#%PAM-1.0\nauth sufficient pamunix.so\n-auth sufficient pamsystemdhome.so\nauth required pamdeny.so\n\naccount required pamnologin.so\n-account sufficient pamsystemdhome.so\naccount sufficient pamunix.so\naccount required pampermit.so\n\n-password sufficient pamsystemdhome.so\npassword sufficient pamunix.so sha512 shadow tryfirstpass useauthtok\n\npassword required pamdeny.so\n\n-session optional pamkeyinit.so revoke\n-session optional pamloginuid.so\n-session optional pamsystemdhome.so\n-session optional pamsystemd.so\nsession required pamunix.so\n", "subsections": [] }, "SEE ALSO": { "content": "systemd(1), systemd-logind.service(8), logind.conf(5), loginctl(1), pamsystemdhome(8),\npam.conf(5), pam.d(5), pam(8), pamloginuid(8), systemd.scope(5), systemd.slice(5),\nsystemd.service(5)\n", "subsections": [] }, "NOTES": { "content": "1. JSON User Records\nhttps://systemd.io/USERRECORD\n\n2. Desktop Entry Specification\nhttp://standards.freedesktop.org/desktop-entry-spec/latest/\n\n3. XDG Base Directory Specification\nhttp://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html\n\n\n\nsystemd 249 PAMSYSTEMD(8)", "subsections": [] } } } }