[arch-general] want to try systemd but need some advice
Fons Adriaensen
fons at linuxaudio.org
Sat Sep 29 15:52:54 EDT 2012
Hello all,
During the past days I've been reading the sytemd manpages, and I'm
more or less prepared to reconfigure one the systems I manage to use
systemd. The main thing that scares me off is the 'consolekit style'
login management of systemd's logind. In particular the following
(from <http://www.freedesktop.org/wiki/Software/systemd/multiseat>):
* A session is defined by the time a user is logged in until he logs
* out. A session is bound to one or no seats (the latter for 'virtual'
* ssh logins).
and
* Note that logind manages ACLs on a number of device classes, to allow
* user code to access the device nodes attached to a seat as long as the
* user has an active session on it.
In the context I'm working in the whole 'seat' and 'session' thing, as
far as I can understand it, doesn't make much sense.
An absolute requirement for the system I'd want to test systemd on (and
for many others I manage) is that there should be *no* difference at all
between a 'local' login and one via ssh. Whatever a user is allowed to
do or access should not depend on how he/she logs in, but only on his/her
unix login and group membership. Root can do all he wants, normal users are
as restricted as possible, and any exceptions to that are configured via
/etc/sudoers and nothing else. In particular there's no place for polkit
or anything similar here.
I'd want things to be configured that way 'once and for all', meaning that
a) I'm not really looking forward to having to do this for each and every
device or command, and b) that a routine system update (a frequent enough
event on an Arch system) must not be able to modify this policy.
>From reading the avaiable docs I'm not convinced this will be possible, in
particular since the docs concerning logind are rather incomplete (where are
those ACLs defined for example). And 'ping Lennart if you need more info' as
suggested, is not really a sustainable solution IMHO.
So my question is: a) is it possible to configure a system as I want it,
and b) if yes, how ?
TIA,
--
FA
A world of exhaustive, reliable metadata would be an utopia.
It's also a pipe-dream, founded on self-delusion, nerd hubris
and hysterically inflated market opportunities. (Cory Doctorow)
More information about the arch-general
mailing list