pam_systemdsystemdDeveloperLennartPoetteringlennart@poettering.netpam_systemd8pam_systemdRegister user sessions in the systemd login managerpam_systemd.soDescriptionpam_systemd registers user
sessions with the systemd login manager
systemd-logind.service8,
and hence the systemd control group hierarchy.On login, this module ensures the following:If it does not exist yet, the
user runtime directory
/run/user/$USER is
created and its ownership changed to the user
that is logging in.The
$XDG_SESSION_ID environment
variable is initialized. If auditing is
available and
pam_loginuid.so was run before
this module (which is highly recommended), the
variable is initialized from the auditing
session id
(/proc/self/sessionid). Otherwise,
an independent session counter is
used.A new systemd scope unit is
created for the session. If this is the first
concurrent session of the user, an implicit
slice below user.slice is
automatically created and the scope placed into
it. An instance of the system service
user@.service, which runs
the systemd user manager instance, is started.
On logout, this module ensures the following:If enabled in
logind.conf5, all
processes of the session are terminated. If
the last concurrent session of a user ends,
the user's systemd instance will be
terminated too, and so will the user's slice
unit.If the last concurrent session
of a user ends, the
$XDG_RUNTIME_DIR directory
and all its contents are removed,
too.If the system was not booted up with systemd as
init system, this module does nothing and immediately
returns PAM_SUCCESS.OptionsThe following options are understood:Takes a string
argument which sets the session class.
The XDG_SESSION_CLASS environmental variable
takes precedence. One of
user,
greeter,
lock-screen or
background. See
sd_session_get_class3
for details about the session class.Takes a string
argument which sets the session type.
The XDG_SESSION_TYPE environmental
variable takes precedence. One of
unspecified,
tty,
x11,
wayland or
mir. See
sd_session_get_type3
for details about the session type.Takes an optional
boolean argument. If yes or without
the argument, the module will log
debugging information as it
operates.Module Types ProvidedOnly is provided.EnvironmentThe following environment variables are set for the processes of the user's session:$XDG_SESSION_IDA session identifier,
suitable to be used in filenames. The
string itself should be considered
opaque, although often it is just the
audit session ID as reported by
/proc/self/sessionid. Each
ID will be assigned only once during
machine uptime. It may hence be used
to uniquely label files or other
resources of this
session.$XDG_RUNTIME_DIRPath to a user-private
user-writable directory that is bound
to the user login time on the
machine. It is automatically created
the first time a user logs in and
removed on the user's final logout. If
a user logs in twice at the same time,
both sessions will see the same
$XDG_RUNTIME_DIR
and the same contents. If a user logs
in once, then logs out again, and logs
in again, the directory contents will
have been lost in between, but
applications should not rely on this
behavior and must be able to deal with
stale files. To store session-private
data in this directory, the user
should include the value of
$XDG_SESSION_ID in
the filename. This directory shall be
used for runtime file system objects
such as AF_UNIX
sockets, FIFOs, PID files and
similar. It is guaranteed that this
directory is local and offers the
greatest possible file system feature
set the operating system provides. For
further details see the XDG
Base Directory
Specification.The following environment variables are read by
the module and may be used by the PAM service to pass
metadata to the module:$XDG_SESSION_TYPEThe session type. This
may be used instead of
on the
module parameter line, and is usually
preferred.$XDG_SESSION_CLASSThe session class. This
may be used instead of
on the
module parameter line, and is usually
preferred.$XDG_SESSION_DESKTOPA single, short
identifier string for the desktop
environment. This may be used to
indicate the session desktop used,
where this applies and if this
information is available. For example:
GNOME, or
KDE. It is
recommended to use the same
identifiers and capitalization as for
$XDG_CURRENT_DESKTOP,
as defined by the Desktop
Entry Specification. (However,
note that
$XDG_SESSION_DESKTOP
only takes a single item, and not a
colon-separated list like
$XDG_CURRENT_DESKTOP.)
See
sd_session_get_desktop3
for more details.$XDG_SEATThe seat name the session
shall be registered for, if
any.$XDG_VTNRThe VT number the
session shall be registered for, if
any. (Only applies to seats with a VT
available, such as
seat0)Example#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
session required pam_systemd.soSee Alsosystemd1,
systemd-logind.service8,
logind.conf5,
loginctl1,
pam.conf5,
pam.d5,
pam8,
pam_loginuid8,
systemd.scope5,
systemd.slice5,
systemd.service5