[systemd-devel] [PATCH weston] doc/systemd: system service example
Mantas Mikulėnas
grawity at gmail.com
Thu Nov 30 12:12:09 UTC 2017
On Thu, Nov 30, 2017, 12:10 Pekka Paalanen <ppaalanen at gmail.com> wrote:
> > > +# Set up a full user session for the user, required by Weston.
> > > +PAMName=login
> >
> > Piggy-backing on "login" is a bad idea. "login" is a text tool, and
> > thus the PAM rules for it usually pull in some TTY specific PAM
> > modules. YOu shoudl really use your own PAM fragment here, and
> > configure only the bits you need.
>
> Ok. Is there any guide or example I could point people to, so that they
> can write their own stuff correctly? Any example I could put into
> Weston docs?
>
> Personally I have no understanding of what PAM does. I just copied
> weston-launch (setuid-root helper for non-systemd systems) that also
> uses "login" for PAM name if it was asked to create a new session(?).
>
Instead of reusing "login", it would be better to start with a copy e.g.
lightdm's or xdm's config, IMHO.
There are three main steps in PAM. Besides "auth" (authentication, which
services simply skip), you also have "account" (authorization and
accounting) which verifies whether the user is allowed to log in – e.g. not
disabled, not locked out, not time-restricted. (For example, SSH pubkey
logins don't use PAM auth, but still have to perform the account
verification.)
Usually there's just one global configuration for "account" (e.g. in
pam.d/common-account) and you can directly include it.
But you also have "session" (session setup), which registers with
systemd-logind, sets up SELinux, prints the motd, and so on. These *do*
vary greatly between service types – e.g. you want pam_motd for 'login' but
not for 'cron'; you want pam_systemd for 'weston' but not for 'ftpd'. So
the "session" part may need to be customized, which is why you should start
with another graphical manager's.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20171130/7c76ce0a/attachment.html>
More information about the systemd-devel
mailing list