Bug#868359: libpam-systemd should maybe not fire on non-login users
Hi Don Am 14.07.2017 um 23:04 schrieb Don Armstrong: > It seems reasonable that non-login users should not have per-user > sessions by default. Using pam_succeed_if to skip creation for users > with /bin/false or /usr/sbin/nologin shells seems reasonable. > > IE, the following (currently untested): > > Name: Register user sessions in the systemd control group hierarchy > Default: yes > Priority: 0 > Session-Interactive-Only: yes This was supposed to ensure that pam_systemd is only included for interactive sessions. Wouldn't it be better if non-login users use /etc/pam.d/common-session-noninteractive? Where exactly did you see pam_systemd used where it shouldn't have been? > Session-Type: Additional > Session: > [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false > [success=1 default=ignore] pam_succeed_if quiet shell = > /usr/sbin/nologin > optionalpam_systemd.so > Didn't know that PAM could do that. That's interesting and scary at the same time :-) -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#868359: libpam-systemd should maybe not fire on non-login users
Package: libpam-systemd Version: 232-25 Severity: minor It seems reasonable that non-login users should not have per-user sessions by default. Using pam_succeed_if to skip creation for users with /bin/false or /usr/sbin/nologin shells seems reasonable. IE, the following (currently untested): Name: Register user sessions in the systemd control group hierarchy Default: yes Priority: 0 Session-Interactive-Only: yes Session-Type: Additional Session: [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false [success=1 default=ignore] pam_succeed_if quiet shell = /usr/sbin/nologin optionalpam_systemd.so Alternatively, documenting this workaround in README.Debian might be good enough. -- Don Armstrong https://www.donarmstrong.com Love is... a complex sequence of neurochemical reactions that makes people behave like idiots. It's similar to intoxication, but the hangover's even worse. -- J. Jacques _Questionable Content_ #1039 http://www.questionablecontent.net/view.php?comic=1039
