[systemd-devel] User authentication service isn't killed fully
Mantas Mikulėnas
grawity at gmail.com
Tue Dec 28 15:02:39 UTC 2021
On Tue, Dec 28, 2021, 16:39 beroal <me at beroal.in.ua> wrote:
> I was not aware of `PAMName`. After reading its documentation, it's still
> not clear to me what it does and how it can be used. What's a PAM session?
> Do you have any references? Google search wasn't very helpful. AFAIK from
> the PAM documentation, session is not an entity, for example, it has no
> identifier. Is it a session stored in logind?
>
It's the abstract thing between pam_open_session() and pam_close_session().
Each module has its own definition of what a session really is –
pam_systemd makes it an entity that exists within systemd-logind,
pam_loginuid makes it an entity that exists within the kernel's audit
subsystem, pam_unix just writes "user foo logged in" to the syslog. I guess
you could call the entire child process tree (including reparented ones)
the session.
What PAMName= does is similar to your program: it initializes PAM with the
provided name, skips pam_authenticate but calls pam_acct_mgmt and
pam_open_session before starting the program. It's often used for
auto-login services.
> I would also like to know how systemd is supposed to handle authentication
> programs that can start a process for any user, not the one in the systemd
> unit file. I posted just a minimal example.
It doesn't get involved in those. If your program starts as root and "logs
in" arbitrary users (like sshd or getty/login or lightdm), then it doesn't
use PAMName= but continues calling PAM directly, like it always has.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20211228/2cf08402/attachment.htm>
More information about the systemd-devel
mailing list