[systemd-commits] configure.ac Makefile.am src/login units/user at .service.in

Zbigniew Jędrzejewski-Szmek zbyszek at kemper.freedesktop.org
Wed Sep 11 12:39:03 PDT 2013 

 Makefile.am            |    5 +++++
 configure.ac           |    7 +++++++
 src/login/pam-module.c |    4 ++--
 src/login/systemd-user |    8 ++++++++
 units/user at .service.in |    2 +-
 5 files changed, 23 insertions(+), 3 deletions(-)

New commits:
commit 5c390a4ae0d383b2003074ed011d47876c7e630c
Author: Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl>
Date:   Wed Sep 11 14:31:14 2013 -0400

    Add pam configuration to allow user sessions to work out of the box
    
    systemd-logind will start user at .service. user at .service unit uses
    PAM with service name 'systemd-user' to perform account and session
    managment tasks. Previously, the name was 'systemd-shared', it is
    now changed to 'systemd-user'.
    
    Most PAM installations use one common setup for different callers.
    Based on a quick poll, distributions fall into two camps: those that
    have system-auth (Redhat, Fedora, CentOS, Arch, Gentoo, Mageia,
    Mandriva), and those that have common-auth (Debian, Ubuntu, OpenSUSE).
    Distributions that have system-auth have just one configuration file
    that contains auth, password, account, and session blocks, and
    distributions that have common-auth also have common-session,
    common-password, and common-account. It is thus impossible to use one
    configuration file which would work for everybody. systemd-user now
    refers to system-auth, because it seems that the approach with one
    file is more popular and also easier, so let's follow that.

diff --git a/Makefile.am b/Makefile.am
index c8283d5..3cb6c49 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -64,6 +64,7 @@ dbussessionservicedir=@dbussessionservicedir@
 dbussystemservicedir=@dbussystemservicedir@
 dbusinterfacedir=@dbusinterfacedir@
 pamlibdir=@pamlibdir@
+pamconfdir=@pamconfdir@
 pkgconfigdatadir=$(datadir)/pkgconfig
 pkgconfiglibdir=$(libdir)/pkgconfig
 polkitpolicydir=$(datadir)/polkit-1/actions
@@ -3905,6 +3906,9 @@ pam_systemd_la_LIBADD = \
 
 pamlib_LTLIBRARIES = \
 	pam_systemd.la
+
+dist_pamconf_DATA = \
+	src/login/systemd-user
 endif
 
 # move lib from $(libdir) to $(rootlibdir) and update devel link, if needed
@@ -4460,6 +4464,7 @@ DISTCHECK_CONFIGURE_FLAGS = \
 	--with-bashcompletiondir=$$dc_install_base/$(bashcompletiondir) \
 	--with-zshcompletiondir=$$dc_install_base/$(zshcompletiondir) \
 	--with-pamlibdir=$$dc_install_base/$(pamlibdir) \
+	--with-pamconfdir=$$dc_install_base/$(pamconfdir) \
 	--with-rootprefix=$$dc_install_base \
 	--disable-split-usr
 
diff --git a/configure.ac b/configure.ac
index 2541344..c6978c7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -943,6 +943,11 @@ AC_ARG_WITH([pamlibdir],
         [],
         [with_pamlibdir=${with_rootlibdir}/security])
 
+AC_ARG_WITH([pamconfdir],
+        AS_HELP_STRING([--with-pamconfdir=DIR], [Directory for PAM configuration]),
+        [],
+        [with_pamconfdir=${sysconfdir}/pam.d])
+
 AC_ARG_ENABLE([split-usr],
         AS_HELP_STRING([--enable-split-usr], [Assume that /bin, /sbin aren\'t symlinks into /usr]),
         [],
@@ -975,6 +980,7 @@ AC_SUBST([dbusinterfacedir], [$with_dbusinterfacedir])
 AC_SUBST([bashcompletiondir], [$with_bashcompletiondir])
 AC_SUBST([zshcompletiondir], [$with_zshcompletiondir])
 AC_SUBST([pamlibdir], [$with_pamlibdir])
+AC_SUBST([pamconfdir], [$with_pamconfdir])
 AC_SUBST([rootprefix], [$with_rootprefix])
 AC_SUBST([rootlibdir], [$with_rootlibdir])
 
@@ -1047,6 +1053,7 @@ AC_MSG_RESULT([
         Installation Python:     ${PYTHON_BINARY}
         firmware path:           ${FIRMWARE_PATH}
         PAM modules dir:         ${with_pamlibdir}
+        PAM configuration dir:   ${with_pamconfdir}
         D-Bus policy dir:        ${with_dbuspolicydir}
         D-Bus session dir:       ${with_dbussessionservicedir}
         D-Bus system dir:        ${with_dbussystemservicedir}
diff --git a/src/login/pam-module.c b/src/login/pam-module.c
index 8c5b3a1..49296b5 100644
--- a/src/login/pam-module.c
+++ b/src/login/pam-module.c
@@ -220,11 +220,11 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         /* Make sure we don't enter a loop by talking to
          * systemd-logind when it is actually waiting for the
          * background to finish start-up. If the service is
-         * "systemd-shared" we simply set XDG_RUNTIME_DIR and
+         * "systemd-user" we simply set XDG_RUNTIME_DIR and
          * leave. */
 
         pam_get_item(handle, PAM_SERVICE, (const void**) &service);
-        if (streq_ptr(service, "systemd-shared")) {
+        if (streq_ptr(service, "systemd-user")) {
                 char *p, *rt = NULL;
 
                 if (asprintf(&p, "/run/systemd/users/%lu", (unsigned long) pw->pw_uid) < 0) {
diff --git a/src/login/systemd-user b/src/login/systemd-user
new file mode 100644
index 0000000..7b57dbf
--- /dev/null
+++ b/src/login/systemd-user
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+# Used by systemd when launching systemd user instances.
+
+account include system-auth
+session include system-auth
+auth required pam_deny.so
+password required pam_deny.so
diff --git a/units/user at .service.in b/units/user at .service.in
index 8f9a3b3..3f8b59d 100644
--- a/units/user at .service.in
+++ b/units/user at .service.in
@@ -11,7 +11,7 @@ After=systemd-user-sessions.service
 
 [Service]
 User=%I
-PAMName=systemd-shared
+PAMName=systemd-user
 Type=notify
 ExecStart=- at rootlibexecdir@/systemd --user
 Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%I/dbus/user_bus_socket

More information about the systemd-commits mailing list