[systemd-devel] pam_systemd.so indirectly calling pam_acct_mgmt

Lennart Poettering lennart at poettering.net
Sun May 3 18:27:31 PDT 2015

On Sat, 02.05.15 07:01, Stephen Gallagher (sgallagh at redhat.com) wrote:

> > Well, I guess for now. But note that eventually we hope to move most
> > programs invoked from .desktop into this as systemd services. This
> > then means that the actual sessions will become pretty empty, with
> > only stubs remaining that trigger services off this user instance of
> > systems.
> > 
> If you do that, you will still need some way to invoke PAM with
> different service identities otherwise you'll be implementing a
> pretty severe vulnerability into the system. If all services are
> authorized by the same PAM service, it amounts to removing the
> ability for administrators to differentiate which actions a
> particular user is allowed to perform.

Well, if you are enough logged in to run arbitrary scripts (like gdm,
ssh or cron allow you to), then you are in, for whatever you want to
do, there's no way around that, and having different PAM services
could only hide that fact, but not avoid it...

The admin still has a lot of control on how you can log in though. For
example, gdm will still use PAM to check if you are allowed to login
graphically, on a seat. If that's denied, then the login will be
refused. Only if you managed to login you can also use the systemd
user instance.

Also note that "lingering" is something that needs to be turned on
with privileges. If you don't have the privs to turn this on, you
cannot make use of this feature and the user instance of systemd is
strictly reference counted by your PAM sessions which means as soon as
you logged out from all your terminals/graphical seats you also lost
the user instance.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list