Bug#868359: libpam-systemd should maybe not fire on non-login users
Michael Biebl
biebl at debian.org
Fri Jul 14 22:50:13 BST 2017
Hi Don
Am 14.07.2017 um 23:04 schrieb Don Armstrong:
> It seems reasonable that non-login users should not have per-user
> sessions by default. Using pam_succeed_if to skip creation for users
> with /bin/false or /usr/sbin/nologin shells seems reasonable.
>
> IE, the following (currently untested):
>
> Name: Register user sessions in the systemd control group hierarchy
> Default: yes
> Priority: 0
> Session-Interactive-Only: yes
This was supposed to ensure that pam_systemd is only included for
interactive sessions.
Wouldn't it be better if non-login users use
/etc/pam.d/common-session-noninteractive?
Where exactly did you see pam_systemd used where it shouldn't have been?
> Session-Type: Additional
> Session:
> [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false
> [success=1 default=ignore] pam_succeed_if quiet shell = /usr/sbin/nologin
> optional pam_systemd.so
>
Didn't know that PAM could do that.
That's interesting and scary at the same time :-)
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20170714/01b12996/attachment-0002.sig>
More information about the Pkg-systemd-maintainers
mailing list