[systemd-devel] Running pam-enabled /bin/login sessions in unprivileged terminal emulators

Pekka Paalanen ppaalanen at gmail.com
Fri May 28 07:13:17 UTC 2021


On Thu, 27 May 2021 17:33:35 +0200
Lennart Poettering <lennart at poettering.net> wrote:

> On Sa, 22.05.21 13:50, Pekka Paalanen (ppaalanen at gmail.com) wrote:
> 
> > All in all, this stack would replace the usual stack where
> > /bin/login runs directly on the TTY of a VT, allowing to use a more
> > featureful terminal, custom display modes, multi-output support,
> > maybe multiple parallel sessions for different users a la fast user
> > switching, and more.  
> 
> When you say /bin/login do actually intend to say "getty"? what is
> /bin/login good for here? it's a stub that expects you already give it
> a user and it then only asks for a pw. It's the second part of a getty
> pretty much.

Yes, sorry. I'm not clear what any of them actually do. Hence, please
replace everything I've called "the login program" or similar with
yours above.


Thanks,
pq


> We have multiple services that you can instantiate on ttys, for
> example getty at .service (for true VTs), serial-getty at .service (for
> serial ports), container-getty.service (for /dev/console),
> container-getty at .service (for gettys on pseudo TTYs, pretty much).
> 
> It appears to me that the right approach for your case is to do what
> container-getty at .service effectively does and instantiate an
> appropriate instance of a template service modelled after it for the
> "other" side of the pty your terminal app allocates.
> 
> Instantiating <yourapp>-getty at .service requires privs, but you can use
> polkit to grant that to your terminal app's user. THe polkit auth
> request carries the unit name as additional metadata, hence that
> should be pretty easily done with some minimal polkit JS.
> 
> Lennart
> 
> --
> Lennart Poettering, Berlin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20210528/514966e7/attachment-0001.sig>


More information about the systemd-devel mailing list