Bug#868359: libpam-systemd should maybe not fire on non-login users

Don Armstrong don at debian.org
Fri Jul 14 22:04:50 BST 2017


Package: libpam-systemd
Version: 232-25
Severity: minor

It seems reasonable that non-login users should not have per-user
sessions by default. Using pam_succeed_if to skip creation for users
with /bin/false or /usr/sbin/nologin shells seems reasonable.

IE, the following (currently untested):

Name: Register user sessions in the systemd control group hierarchy
Default: yes
Priority: 0
Session-Interactive-Only: yes
Session-Type: Additional
Session:
        [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false
        [success=1 default=ignore] pam_succeed_if quiet shell = /usr/sbin/nologin
        optional        pam_systemd.so


Alternatively, documenting this workaround in README.Debian might be
good enough.

-- 
Don Armstrong                      https://www.donarmstrong.com

Love is... a complex sequence of neurochemical reactions that makes
people behave like idiots. It's similar to intoxication, but the
hangover's even worse.
 -- J. Jacques _Questionable Content_ #1039
    http://www.questionablecontent.net/view.php?comic=1039



More information about the Pkg-systemd-maintainers mailing list