On Sat, 02.05.15 07:01, Stephen Gallagher (sgall...@redhat.com) wrote: > > Well, I guess for now. But note that eventually we hope to move most > > programs invoked from .desktop into this as systemd services. This > > then means that the actual sessions will become pretty empty, with > > only stubs remaining that trigger services off this user instance of > > systems. > > > > If you do that, you will still need some way to invoke PAM with > different service identities otherwise you'll be implementing a > pretty severe vulnerability into the system. If all services are > authorized by the same PAM service, it amounts to removing the > ability for administrators to differentiate which actions a > particular user is allowed to perform.
Well, if you are enough logged in to run arbitrary scripts (like gdm, ssh or cron allow you to), then you are in, for whatever you want to do, there's no way around that, and having different PAM services could only hide that fact, but not avoid it... The admin still has a lot of control on how you can log in though. For example, gdm will still use PAM to check if you are allowed to login graphically, on a seat. If that's denied, then the login will be refused. Only if you managed to login you can also use the systemd user instance. Also note that "lingering" is something that needs to be turned on with privileges. If you don't have the privs to turn this on, you cannot make use of this feature and the user instance of systemd is strictly reference counted by your PAM sessions which means as soon as you logged out from all your terminals/graphical seats you also lost the user instance. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel