On 2014-12-28 18:29, Christian Kastner wrote:
> Changing systemd-user's PAM config to use common-session-noninteractive
> resolves the above issue (and actually another, yet unreported, one in
> libpam-mount).
>
> Please consider including the attached patch against git master if you
> think it is safe to do so.
OK, so I found one negative side effect of my proposed change: switching
to "common-session-noninteractive" alone causes systemd to log the
following message to syslog:
Trying to run as a user instance, but $XDG_RUNTIME_DIR is not set.
I assume that this is because common-session also includes
pam_systemd.so, whereas -noninteractive does not, so switching to the
latter drops it from systemd-user's config.
I see two possible easy solutions for this:
1. Move pam_systemd.so to -noninteractive, by dropping
"Session-Interactive-Only: yes" from systemd's
/usr/share/pam-config/systemd.
I think this is the worst solution, as this would affect all
PAM configurations, not just systemd-user's.
2. Re-add pam_systemd.so to systemd-user's config.
The attached, updated patch implements 2. I tested it locally, and all
issues raised so far were resolved.
>From cd4c712e383d0c60c0ee593cdbc437392a2fbb02 Mon Sep 17 00:00:00 2001
From: Christian Kastner <[email protected]>
Date: Sun, 28 Dec 2014 18:22:22 +0100
Subject: [PATCH] Use common-session-noninteractive in systemd-user's PAM
configuration
common-session can include PAM modules, for example libpam-mount, which expect
to be called in an interactive manner, and cause all sorts of errors otherwise.
By switching to common-session-noninteractive, however, we also drop
pam_systemd.so, so we add it locally instead.
---
.../Adjust-systemd-user-pam-config-file-for-Debian.patch | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch b/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch
index 78c5e0c..5bd30c4 100644
--- a/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch
+++ b/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch
@@ -8,17 +8,18 @@ launching systemd user instances.
src/login/systemd-user | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/src/login/systemd-user b/src/login/systemd-user
-index 7b57dbf..f87d560 100644
---- a/src/login/systemd-user
-+++ b/src/login/systemd-user
-@@ -2,7 +2,7 @@
+Index: systemd-215/src/login/systemd-user
+===================================================================
+--- systemd-215.orig/src/login/systemd-user
++++ systemd-215/src/login/systemd-user
+@@ -2,7 +2,8 @@
# Used by systemd when launching systemd user instances.
-account include system-auth
-session include system-auth
+@include common-account
-+@include common-session
++@include common-session-noninteractive
auth required pam_deny.so
password required pam_deny.so
++session optional pam_systemd.so
--
2.1.4
