[systemd-devel] Running pam-enabled /bin/login sessions in unprivileged terminal emulators
Pekka Paalanen
ppaalanen at gmail.com
Fri May 28 07:13:17 UTC 2021
On Thu, 27 May 2021 17:33:35 +0200
Lennart Poettering <lennart at poettering.net> wrote:
> On Sa, 22.05.21 13:50, Pekka Paalanen (ppaalanen at gmail.com) wrote:
>
> > All in all, this stack would replace the usual stack where
> > /bin/login runs directly on the TTY of a VT, allowing to use a more
> > featureful terminal, custom display modes, multi-output support,
> > maybe multiple parallel sessions for different users a la fast user
> > switching, and more.
>
> When you say /bin/login do actually intend to say "getty"? what is
> /bin/login good for here? it's a stub that expects you already give it
> a user and it then only asks for a pw. It's the second part of a getty
> pretty much.
Yes, sorry. I'm not clear what any of them actually do. Hence, please
replace everything I've called "the login program" or similar with
yours above.
Thanks,
pq
> We have multiple services that you can instantiate on ttys, for
> example getty at .service (for true VTs), serial-getty at .service (for
> serial ports), container-getty.service (for /dev/console),
> container-getty at .service (for gettys on pseudo TTYs, pretty much).
>
> It appears to me that the right approach for your case is to do what
> container-getty at .service effectively does and instantiate an
> appropriate instance of a template service modelled after it for the
> "other" side of the pty your terminal app allocates.
>
> Instantiating <yourapp>-getty at .service requires privs, but you can use
> polkit to grant that to your terminal app's user. THe polkit auth
> request carries the unit name as additional metadata, hence that
> should be pretty easily done with some minimal polkit JS.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20210528/514966e7/attachment-0001.sig>
More information about the systemd-devel
mailing list