How are PAM sessions applied to systemd user services

systemd

Each time you log in in as a user, you get a new PAM session. E.g. I believe people have used pam_group to add your session's processes to groups for access to certain devices, if you log on to a local terminal.

pam_systemd starts one systemd --user instance, which is shared between all the user's login sessions. Nowadays, e.g. in Fedora 26, you will see all gnome-terminal processes are actually started by systemd --user. So that's where your terminal commands run. They do not run in the systemd session scopes that are created for each individual login…

How is the single systemd --user instance, and the processes it creates, affected by the PAM sessions?

Best Answer

pam_systemd is documented as starting systemd --user using user@.service.

user@.service uses PAMName=, so it runs inside a dedicated PAM session. pam_systemd has a special-case for PAMName=systemd-user, so that starting user@.service does not recurse infinitely or deadlock. (Also this process doesn't get put in a new session scope unit).

$ systemctl cat user@
# /usr/lib/systemd/system/user@.service

[Unit]
Description=User Manager for UID %i
After=systemd-user-sessions.service

[Service]
User=%i
PAMName=systemd-user
Type=notify
ExecStart=-/usr/lib/systemd/systemd --user
Slice=user-%i.slice
KillMode=mixed
Delegate=yes
TasksMax=infinity
TimeoutStopSec=120s

pam_systemd does not really work with features tied to the PAM session that vary based on the individual TTY. Instead, logind uses ACLs to grant the logged in user access to certain devices. As long as the PAM session is open, any process with that UID will be able to access them.

logind also has a DBus interface which allows one process of that user to open certain devices, intended for the display server e.g. X Windows. It has code to handle switching VTs, and multiple "seats" (groups of devices).

Related Solutions

Sudo Command – Why Does sudo -i Not Set XDG_RUNTIME_DIR for Target User?

I have replicated this issue on my Fedora 25 system.

I found a very suspicious condition in the source code. https://github.com/systemd/systemd/blob/f97b34a/src/login/pam_systemd.c#L439 It looks as if it was written with normal sudo in mind but not sudo -u non-root-user.

machinectl shell --uid=non-root-user worked as you requested.

systemd-run did not appear to work as desired, despite the reference to it in the machinectl documentation.

Some machinectl commands don't work if you have enabled SELinux at the moment, and these specific commands didn't work for me until I did setenforce 0. However I'm in the middle of trying workarounds to get machinectl working as I want it to w.r.t SELinux, so it's possible my fiddling is what causes e.g. machinectl shell to timeout.

EDIT: I think this code was introduced after this discussion. And apparently su - / sudo -i could be made to work, but no-one has implemented it (still).

Systemd DynamicUser= services v.s. journald splits

There is no security issue with this. (I checked in systemd v239).

Users in the UID range used by DynamicUser=, cannot read their own systemd journal or systemd coredumps. The same restriction applies to "system" users (usually UID < 1000) and nobody.

https://github.com/systemd/systemd/blob/v239/src/coredump/coredump.c#L157

if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY)
        return 0;


/* Make sure normal users can read (but not write or delete)
 * their own coredumps */

https://github.com/systemd/systemd/blob/v239/src/journal/journald-server.c#L225

static bool uid_for_system_journal(uid_t uid) {

        /* Returns true if the specified UID shall get its data stored in the system journal*/

        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
}

Best Answer

Related Solutions

Sudo Command – Why Does sudo -i Not Set XDG_RUNTIME_DIR for Target User?

Systemd DynamicUser= services v.s. journald splits

Related Question