Since systemd version 207 a PAM File "/etc/pam.d/systemd-user" is included by systemd upstream. This is used and needed by the user@.service unit. (Note in prior systemd version this was called systemd-shared, and missing at all in Gentoo) According to http://cgit.freedesktop.org/systemd/systemd/commit/?id=5c390a4ae0d383b2003074ed011d47876c7e630c they choose to include /etc/pam.d/system-auth in /etc/pam.d/systemd-user since it seems to be the more popular on most distributions. Problem is: In Fedora system-auth includes "session pam_systemd.so", but in Gentoo this is not in systemd-auth, but in system-login which wraps pam_systemd.so. Problem is: Without pam_systemd in the pam session phase, required environment variables ($XDG_RUNTIME_DIR) for user@.service will be missing. Without XDG_RUNTIME_DIR "systemd --user" fails to acquire a private bus connection. systemctl --user wont work, and all %t in unit files are expanded as /run instead of /run/user/$UID, which is not writable by users, so creating files there will fail.. A simple patch like this will help us: diff --git a/src/login/systemd-user b/src/login/systemd-user index 7b57dbf..cdddcf8 100644 --- a/src/login/systemd-user +++ b/src/login/systemd-user @@ -4,5 +4,6 @@ account include system-auth session include system-auth +session optional pam_systemd.so auth required pam_deny.so password required pam_deny.so Reproducible: Always Steps to Reproduce: 1. Login as any user 2. Run "systemctl --user" (This has to work since user@$UID.service is autospawned since systemd 207) Actual Results: Failed to issue method call: Process /bin/false exited with status 1 Expected Results: List of active loaded units.
Hmm. Are you sure that's correct? See this link, https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/pambase&id=03746a9aad67c62d396dd9528ef40d14de28c844 I suspect we need same patch for our pambase (since ArchLinux's pambase is based on our pambase but it has changed since initial forking)
I'm not sure how you come to the conclusion the could be incorrect from that patch.. I think the pam_env move in archlinux's pambase has no direct relationship with this bug. I'm still sure its correct that pam_systemd is needed in /etc/pam.d/systemd-user. (How its included there, is another question - directly, or via another file..) Since we need $XDG_RUNTIME_DIR, which is provided by pam-systemd. BTW, offtopic: I also think that archlinux patch would be useful for gentoo users, to be able to use $XDG_RUNTIME_DIR (which is set by pam_systemd) in /etc/security/pam_env.conf
Any news? Shouldn't this bug block stabilization of systemd-208?
I agree with Benjamin; we either need to add pam_systemd.so to /etc/pam.d/systemd-user or /etc/pam.d/system-auth. I have tested both, and they both allow systemctl --user to function on my system.
@PAM, have any preference in this?
(In reply to Mike Gilbert from comment #4) > I agree with Benjamin; we either need to add pam_systemd.so to > /etc/pam.d/systemd-user or /etc/pam.d/system-auth. Would be better to move pam_systemd.so from system-login to system-auth, because system-login includes system-auth: $ egrep -A1 'session.*system-auth' /etc/pam.d/system-login session include system-auth -session optional pam_systemd.so $ qlist -ICv pambase sys-auth/pambase-20120417-r2
(In reply to Michał Górny from comment #5) > @PAM, have any preference in this? Looks like they don't have any. What systemd team think? (I don't have any strong preference)
I prefer the system-auth approach.
+*pambase-20120417-r3 (27 Oct 2013) + + 27 Oct 2013; Pacho Ramos <pacho@gentoo.org> + +files/pambase-20120417-systemd-auth.patch, +pambase-20120417-r3.ebuild: + Load pam_systemd from system-auth instead of system-login, bug #485470 by + Benjamin Franzke +
This is what ArchLinux's systemd-user looks like, #%PAM-1.0 # Used by systemd when launching systemd user instances. account include system-login session include system-login auth required pam_deny.so password required pam_deny.so I believe pam_systemd.so will have a problem when patch from bug 504492 is merged into our pambase, and we should in fact move pam_systemd.so back to system-login, and fix systemd-user file to use 'system-login' instead of 'system-auth' Reopen
(In reply to Samuli Suominen from comment #10) Should pam_systemd.so come before or after "include system-auth" in the system-login file?
Also, can you elaborate on what problem you think that patch moving pam_env around will cause?
1) move it just before pam_env, second last line, like it's in 'Arch' too: https://projects.archlinux.org/svntogit/packages.git/tree/trunk/system-login?h=packages/pambase 2) fix systemd-user to use 'system-login' instead of 'system-auth' The PAM module just belongs in system-login just like pam_ck_connector.so, I'm not aware of general requirement for pam_systemd.so, as if you move it to system-auth, you cause *multiple* different per package PAM files to include it: ssuominen@null ~ $ grep system-auth /etc/pam.d/*|wc -l 76 ssuominen@null ~ $ grep system-login /etc/pam.d/*|wc -l 8 Plus I suspect possible PAM env problems if we are to fix bug 451956 ever, with $XDG_VTNR being involved...
Add these lines to src_prepare() of systemd's ebuild: # Gentoo's pambase has system-login where pam_systemd.so is included #485470 sed -i -e 's:system-auth:system-login:' src/login/systemd-user || die
Can we upstream this? Or is system-login Gentoo-specific?
(In reply to Michał Górny from comment #15) > Can we upstream this? Or is system-login Gentoo-specific? i'm sure some others use it too, but they don't use same structure as our pambase, so it means different thing in them, so this is gentoo and archlinux specific see latest patch in bug 504492, comment #3, after that gets in, the change would be necessary
