[systemd-devel] pam_systemd.so indirectly calling pam_acct_mgmt

Lennart Poettering lennart at poettering.net
Fri Apr 10 08:06:58 PDT 2015

On Fri, 10.04.15 16:56, Jakub Hrozek (jakub.hrozek at posteo.se) wrote:

> I'm wondering why does systemd-user call the account stack at all? I can
> understand the session phase, but wouldn't the account phase be already
> checked by whoever was logging in the user (ssh, gdm, ...). 

If "lingering" is turned on we will start the systemd --user instance
also at boot, without the user being logged in. This is accessible via
"loginctl set-linger".

> And more generally, could we optimize the account phase somewhat on
> the SSSD side so the full access control would not be run? Is there
> some heuristic we can do?

Well, we need to run throught he PAM hooks for all normal user code we
run, there's really no way around that I fear. 

I mean, sssd can optimize internally, but that doesn't relieve systemd
from calling into PAM...


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list