On 2014-12-28 18:29, Christian Kastner wrote: > Changing systemd-user's PAM config to use common-session-noninteractive > resolves the above issue (and actually another, yet unreported, one in > libpam-mount). > > Please consider including the attached patch against git master if you > think it is safe to do so.
OK, so I found one negative side effect of my proposed change: switching to "common-session-noninteractive" alone causes systemd to log the following message to syslog: Trying to run as a user instance, but $XDG_RUNTIME_DIR is not set. I assume that this is because common-session also includes pam_systemd.so, whereas -noninteractive does not, so switching to the latter drops it from systemd-user's config. I see two possible easy solutions for this: 1. Move pam_systemd.so to -noninteractive, by dropping "Session-Interactive-Only: yes" from systemd's /usr/share/pam-config/systemd. I think this is the worst solution, as this would affect all PAM configurations, not just systemd-user's. 2. Re-add pam_systemd.so to systemd-user's config. The attached, updated patch implements 2. I tested it locally, and all issues raised so far were resolved.
>From cd4c712e383d0c60c0ee593cdbc437392a2fbb02 Mon Sep 17 00:00:00 2001 From: Christian Kastner <c...@kvr.at> Date: Sun, 28 Dec 2014 18:22:22 +0100 Subject: [PATCH] Use common-session-noninteractive in systemd-user's PAM configuration common-session can include PAM modules, for example libpam-mount, which expect to be called in an interactive manner, and cause all sorts of errors otherwise. By switching to common-session-noninteractive, however, we also drop pam_systemd.so, so we add it locally instead. --- .../Adjust-systemd-user-pam-config-file-for-Debian.patch | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch b/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch index 78c5e0c..5bd30c4 100644 --- a/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch +++ b/debian/patches/Adjust-systemd-user-pam-config-file-for-Debian.patch @@ -8,17 +8,18 @@ launching systemd user instances. src/login/systemd-user | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/src/login/systemd-user b/src/login/systemd-user -index 7b57dbf..f87d560 100644 ---- a/src/login/systemd-user -+++ b/src/login/systemd-user -@@ -2,7 +2,7 @@ +Index: systemd-215/src/login/systemd-user +=================================================================== +--- systemd-215.orig/src/login/systemd-user ++++ systemd-215/src/login/systemd-user +@@ -2,7 +2,8 @@ # Used by systemd when launching systemd user instances. -account include system-auth -session include system-auth +@include common-account -+@include common-session ++@include common-session-noninteractive auth required pam_deny.so password required pam_deny.so ++session optional pam_systemd.so -- 2.1.4