[arch-general] want to try systemd but need some advice
rodrigorivascosta at gmail.com
Sat Sep 29 16:59:45 EDT 2012
On Sat, Sep 29, 2012 at 9:52 PM, Fons Adriaensen <fons at linuxaudio.org>wrote:
> Hello all,
> During the past days I've been reading the sytemd manpages, and I'm
> more or less prepared to reconfigure one the systems I manage to use
> systemd. The main thing that scares me off is the 'consolekit style'
> login management of systemd's logind. In particular the following
> (from <http://www.freedesktop.org/wiki/Software/systemd/multiseat>):
> * A session is defined by the time a user is logged in until he logs
> * out. A session is bound to one or no seats (the latter for 'virtual'
> * ssh logins).
> * Note that logind manages ACLs on a number of device classes, to allow
> * user code to access the device nodes attached to a seat as long as the
> * user has an active session on it.
> In the context I'm working in the whole 'seat' and 'session' thing, as
> far as I can understand it, doesn't make much sense.
> An absolute requirement for the system I'd want to test systemd on (and
> for many others I manage) is that there should be *no* difference at all
> between a 'local' login and one via ssh. Whatever a user is allowed to
> do or access should not depend on how he/she logs in, but only on his/her
> unix login and group membership. Root can do all he wants, normal users are
> as restricted as possible, and any exceptions to that are configured via
> /etc/sudoers and nothing else. In particular there's no place for polkit
> or anything similar here.
> I'd want things to be configured that way 'once and for all', meaning that
> a) I'm not really looking forward to having to do this for each and every
> device or command, and b) that a routine system update (a frequent enough
> event on an Arch system) must not be able to modify this policy.
> >From reading the avaiable docs I'm not convinced this will be possible, in
> particular since the docs concerning logind are rather incomplete (where
> those ACLs defined for example). And 'ping Lennart if you need more info'
> suggested, is not really a sustainable solution IMHO.
> So my question is: a) is it possible to configure a system as I want it,
> and b) if yes, how ?
Well, you can disable the registering of systemd-logind sessions by
deleting the lines with "pam_systemd.so" from the files /etc/pam.d/*. Not
sure if that will be enough, or even wise.
And now that you are into it, you could delete also the
"pam_ck_connector.so" lines and see if it makes a difference.
More information about the arch-general