[systemd-devel] PAM session hooks for independent session
Antoine Martin
antoine at nagafix.co.uk
Sat Oct 29 11:37:05 UTC 2016
Hi,
Just like "screen" or "tmux", we want to ensure that some xpra sessions
(aka "screen for X11", VNC-like but seamless) can survive when the user
logs out.
Background: xpra runs X11 applications using an Xvfb server, when
client(s) are connected we forward the pixels/keyboard/mouse/etc.
Based on the info from this old post "[systemd-devel] tmux / screen":
https://lists.freedesktop.org/archives/systemd-devel/2011-June/002624.html
my understanding is that we may need both of these things:
* wrap our server startup with "systemd-run --scope --user"
* get the server to open a new logind session via pam
The "systemd-run" wrapping was easy enough, though it does seem to
actually make things worse:
* long ssh login delays afterwards - probably because of this bug:
https://github.com/systemd/systemd/issues/2863
* sessions get killed in circumstances where they did not prior to this
change - probably because the whole cgroup containing the daemon gets
taken down.
The pam_systemd is much more difficult to figure out, since I am not
aware of any other packages does this at present - maybe there are?
* should we ship a /etc/pam/d/xpra file like this one:
session required pam_localuser.so
session sufficient pam_systemd.so class=user type=x11 debug=1
* we supply VTNR=0 (we don't have a VT..), XDG_SESSION_TYPE=x11,
XDG_SEAT=0 (not sure this is right) as well as the correct PAM_XDISPLAY
for the display we've started. But the pam_open_session call fails with:
pam_systemd(xpra:session): Failed to create session: Access denied
Probably because of this:
[system] Rejected send message, 2 matched rules; type="method_call",
sender=":1.339" (uid=1001 pid=15738 comm="/bin/python /usr/bin/xpra
start --systemd-run=yes "
label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023")
interface="org.freedesktop.login1.Manager" member="CreateSession" error
name="(unset)" requested_reply="0" destination="org.freedesktop.login1"
(uid=0 pid=1185 comm="/usr/lib/systemd/systemd-logind "
label="system_u:system_r:systemd_logind_t:s0")
Where / how can we change the policy to allow sufficiently privileged
users to create a new session? (which users will get this privilege and
how this is configured is not entirely clear at this point - can we
somehow keep this simple using unix group permissions?)
How is this going to ensure that the cgroup is correct? Isn't that set
when the process is started?
Any help or pointers would be much appreciated.
Cheers
Antoine
More information about the systemd-devel
mailing list