[systemd-devel] Crond session, pam_access and pam_systemd

Thomas HUMMEL thomas.hummel at pasteur.fr
Mon Oct 12 17:16:19 UTC 2020 

Thanks for your answer. Still I'm quite confused.

On 12/10/2020 18:21, Mantas Mikulėnas wrote:


> It's a worker process which calls pam_open_session() and 
> pam_close_session() on behalf of the user@<uid>.service unit.

Well I may be misunderstanding but this user@<uid>.service seems like a 
top level (for this user) placeholder for various other services units 
and/or scope, among which the init.scope corresponding to the sd-pam and 
systemd --user processes).

So you mean that any service in this placeholder can and do use the 
sd-pam helper to call pam_open_session() and pam_close_session instead 
of doing it themselves, passing it the relevant PAMName ?


> So when you see sd-pam under user@<uid>.service, that means it's 
> handling the "systemd-user" PAM service.

I'm not sure I understood in which cases this PAM service name is used


> They're different but related. Systemd user sessions are always managed 
> through PAM (the pam_systemd module), so whenever cron calls 
> pam_open_session() it indirectly starts a systemd session as well.

You mean crond running as the user who has his own crontab does call 
pam_open_session() which is defined in the pam_systemd module ?
If this is correct, this has indeed nothing to do with the sd-pam 
pam_open_seesion() mentionned above or does it ?


> 
>     - what does the first error message refers to and why does the
>     systemd-user pam service name get passed ? and by which systemd (system
>     or user) ?
> 
> 
> Your systemd --user instance is run as a service

Yes I understood that. But again I'm not really sure what services or 
other units it is supposed to run if I didn't defined user custom 
services. Is it responsible to run things like the user's UI termnials 
for instance ?


> Because of that, the service needs to have its own PAM service name and 
> makes its own PAM calls independently from crond or anything else.

Ok so it's this service (systemd --user) which uses the systemd-user PAM 
service name ? Passed to the generic sd-pam worker ? Correct ?

> 
>     - what is the failing systemd job the second message refers to ? Does
>     this mean that the crond "session" gets created by the systemd --user
>     instance (as some gnome apps in other contexts for instance) ?
> 
> 
> No, it's mostly the opposite – the starting of user@<uid>.service is 
> triggered by crond opening its PAM session.

Sorry I don't get it : what service exactly is started ? crond opening 
its PAM session does not cause a systemd --user to be instanciated or 
does it ? I thought the only way to have a systemd --user was through 
the creation via pam_systemd notifying systemd-logind at a user fist 
login (and/or to linger the user)

Thanks for your help

--
Thomas HUMMEL

More information about the systemd-devel mailing list