[systemd-devel] pam_systemd.so indirectly calling pam_acct_mgmt
Lennart Poettering
lennart at poettering.net
Fri Apr 10 08:06:58 PDT 2015
On Fri, 10.04.15 16:56, Jakub Hrozek (jakub.hrozek at posteo.se) wrote:
> I'm wondering why does systemd-user call the account stack at all? I can
> understand the session phase, but wouldn't the account phase be already
> checked by whoever was logging in the user (ssh, gdm, ...).
If "lingering" is turned on we will start the systemd --user instance
also at boot, without the user being logged in. This is accessible via
"loginctl set-linger".
> And more generally, could we optimize the account phase somewhat on
> the SSSD side so the full access control would not be run? Is there
> some heuristic we can do?
Well, we need to run throught he PAM hooks for all normal user code we
run, there's really no way around that I fear.
I mean, sssd can optimize internally, but that doesn't relieve systemd
from calling into PAM...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list