[systemd-devel] Running pam-enabled /bin/login sessions in unprivileged terminal emulators

Lennart Poettering lennart at poettering.net
Fri May 28 05:27:30 UTC 2021


On Do, 27.05.21 22:25, nerdopolis (bluescreen_avenger at verizon.net) wrote:

> I guess I meant to say getty, but getty ends up calling /bin/login anyway after
> resetting the terminal and reading /etc/issue anyway. Or at least I thought.
>
> Interesting I found some simple enough looking samples for granting users the
> ability to start one service. Dang, it might not work with Debian's
> fraken-polkit-0.105 they still have.
>
> I am able to tweak up a test copy of container-getty at .service,
> setting TERM to xterm-256color and doing the XDG_SEAT=seat-vtty workaround so
> the logged in session has PAM too, and nmtui doesn't do this
>     https://i.imgur.com/dt7xAMz.png
> so that works.
>
> Something like that is what I was originally looking for, so thanks!
> but I will admit, one thing I've come to like about the socat client/server
> hing is that if say cage or vte takes a segfault during say an apt-get install,
> the running command doesn't die...

The service that implements your terminal emulator could upload the
pty master fds to systemd via the fdstore logic. That way the master
will stay open across restart of that service or when it fails.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list