Sam, Thanks for this, very helpful.
I have again tested both approaches and they both work and I can find no breakage. On Tue, Oct 11, 2022 at 03:30:12PM -0600, Sam Hartman wrote: > I think we want something there that allows people to get third-party > packages into the pam config. > If common-session isn't going to be good enough, then I guess we'd need > to create something on the PAM side. > But let's explore whether common-session is good enough, because it does > look like other display managers have similar architecture and manage to > use common-session. Testing with @include common-session: test@debian-sid:~$ ps -Alf|grep lightdm 4 S root 23261 1 0 80 0 - 58787 - 11:04 ? 00:00:00 /usr/sbin/lightdm 4 S root 23266 23261 2 80 0 - 80210 - 11:04 tty7 00:00:25 /usr/lib/xorg/Xorg :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch 4 S root 23327 23261 0 80 0 - 40649 - 11:05 ? 00:00:01 lightdm --session-child 15 26 0 S test 23435 23432 0 80 0 - 1627 - 11:18 pts/1 00:00:00 grep lightdm > Here are my thoughts on testing common-session in the greeter config: > > * Take a look at how things appear in logind--does the greeter appear as > a session? If so does anything break because of that? (Withd Gnome, > the greeter does not appear to appear in loginctl list-sessions) Neither for lightdm-greeter: test@debian-sid:~$ loginctl list-sessions SESSION UID USER SEAT TTY 1 1000 test seat0 tty1 7 1000 test seat0 2 sessions listed. > * What selinux context do things appear in. This only matters if > selinux is already in your testing structure I am not sure I have quite understood this, which testing structure are you referring to here? SElinux is not in /etc/pam.d/lightddm-greeter, only /etc/pam.d/lightdm and /etc/pam.d/lightdm-autologin. > * Does the structure of keyrings look like you expect. > > * Do you end up with a systemd for the greeter user (assuming you are > using systemd). If so, do you want one? No test@debian-sid:~$ ps -Alf | grep systemd 4 S root 1 0 0 80 0 - 42151 - 09:19 ? 00:01:04 /lib/systemd/systemd --system --deserialize 37 4 S message+ 342 1 0 80 0 - 2309 - 09:19 ? 00:00:09 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 4 S root 345 1 0 80 0 - 3598 - 09:19 ? 00:00:05 /lib/systemd/systemd-logind 4 S test 437 1 0 80 0 - 3906 - 09:30 ? 00:00:08 /lib/systemd/systemd --user 4 S root 6919 1 0 80 0 - 12319 - 09:43 ? 00:00:16 /lib/systemd/systemd-journald 4 S systemd+ 11560 1 0 80 0 - 22504 - 10:05 ? 00:00:02 /lib/systemd/systemd-timesyncd 4 S root 11591 1 0 80 0 - 6236 - 10:05 ? 00:00:06 /lib/systemd/systemd-udevd 0 S test 23149 437 0 80 0 - 2278 - 10:54 ? 00:00:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 0 S test 23439 23432 0 80 0 - 1627 - 11:18 pts/1 00:00:00 grep systemd > My suspicion is that since this appears to be working for other display > managers, it's all fine. It seems that way to me as well. > But those are the areas where trouble is most likely to show up. Thanks Best wishes Mark