Bug#868359: marked as done (libpam-systemd should maybe not fire on non-login users)
Your message dated Fri, 14 Jul 2017 17:00:25 -0500 with message-id <20170714220025.uz3xspc6f6slnrmr@geta> and subject line Re: Bug#868359: libpam-systemd should maybe not fire on non-login users has caused the Debian Bug report #868359, regarding libpam-systemd should maybe not fire on non-login users to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 868359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868359 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: libpam-systemd Version: 232-25 Severity: minor It seems reasonable that non-login users should not have per-user sessions by default. Using pam_succeed_if to skip creation for users with /bin/false or /usr/sbin/nologin shells seems reasonable. IE, the following (currently untested): Name: Register user sessions in the systemd control group hierarchy Default: yes Priority: 0 Session-Interactive-Only: yes Session-Type: Additional Session: [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false [success=1 default=ignore] pam_succeed_if quiet shell = /usr/sbin/nologin optionalpam_systemd.so Alternatively, documenting this workaround in README.Debian might be good enough. -- Don Armstrong https://www.donarmstrong.com Love is... a complex sequence of neurochemical reactions that makes people behave like idiots. It's similar to intoxication, but the hangover's even worse. -- J. Jacques _Questionable Content_ #1039 http://www.questionablecontent.net/view.php?comic=1039 --- End Message --- --- Begin Message --- On Fri, 14 Jul 2017, Michael Biebl wrote: > Am 14.07.2017 um 23:04 schrieb Don Armstrong: > > Name: Register user sessions in the systemd control group hierarchy > > Default: yes > > Priority: 0 > > Session-Interactive-Only: yes > > This was supposed to ensure that pam_systemd is only included for > interactive sessions. > Wouldn't it be better if non-login users use > /etc/pam.d/common-session-noninteractive? > Where exactly did you see pam_systemd used where it shouldn't have been? It showed up in this thread which you've already participated in: https://lists.debian.org/msgid-search/20170707140310.3vy5aiyan37ex...@bobekpc.i.cz I personally haven't seen it myself. Digging deeper, that whole script[1] is terrible, and is using su - instead of just su. > > Session-Type: Additional > > Session: > > [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false > > [success=1 default=ignore] pam_succeed_if quiet shell = > > /usr/sbin/nologin > > optionalpam_systemd.so > > > > Didn't know that PAM could do that. > That's interesting and scary at the same time :-) Yeah; pam is incredibly configurable... and incredibly easy to get horribly, horribly wrong. So yeah; let me just close this bug, and it can live on as a documentation of a way to disable pam_systemd for particular users if you need to. 1: http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=agents/plugins/mk_postgres;h=1de9b6de2d536b5d254888e6188fa3ec8b64c9bc;hb=HEAD#l90 -- Don Armstrong https://www.donarmstrong.com We cast this message into the cosmos. [...] We are trying to survive our time so we may live into yours. We hope some day, having solved the problems we face, to join a community of Galactic Civilizations. This record represents our hope and our determination and our goodwill in a vast and awesome universe. -- Jimmy Carter on the Voyager Golden Record--- End Message --- ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#868359: libpam-systemd should maybe not fire on non-login users
Hi Don Am 14.07.2017 um 23:04 schrieb Don Armstrong: > It seems reasonable that non-login users should not have per-user > sessions by default. Using pam_succeed_if to skip creation for users > with /bin/false or /usr/sbin/nologin shells seems reasonable. > > IE, the following (currently untested): > > Name: Register user sessions in the systemd control group hierarchy > Default: yes > Priority: 0 > Session-Interactive-Only: yes This was supposed to ensure that pam_systemd is only included for interactive sessions. Wouldn't it be better if non-login users use /etc/pam.d/common-session-noninteractive? Where exactly did you see pam_systemd used where it shouldn't have been? > Session-Type: Additional > Session: > [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false > [success=1 default=ignore] pam_succeed_if quiet shell = > /usr/sbin/nologin > optionalpam_systemd.so > Didn't know that PAM could do that. That's interesting and scary at the same time :-) -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#868359: libpam-systemd should maybe not fire on non-login users
Package: libpam-systemd Version: 232-25 Severity: minor It seems reasonable that non-login users should not have per-user sessions by default. Using pam_succeed_if to skip creation for users with /bin/false or /usr/sbin/nologin shells seems reasonable. IE, the following (currently untested): Name: Register user sessions in the systemd control group hierarchy Default: yes Priority: 0 Session-Interactive-Only: yes Session-Type: Additional Session: [success=2 default=ignore] pam_succeed_if quiet shell = /bin/false [success=1 default=ignore] pam_succeed_if quiet shell = /usr/sbin/nologin optionalpam_systemd.so Alternatively, documenting this workaround in README.Debian might be good enough. -- Don Armstrong https://www.donarmstrong.com Love is... a complex sequence of neurochemical reactions that makes people behave like idiots. It's similar to intoxication, but the hangover's even worse. -- J. Jacques _Questionable Content_ #1039 http://www.questionablecontent.net/view.php?comic=1039 ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#868002: udev: README.Debian interface naming improvements
On Fri, 2017-07-14 at 08:22 +0200, Martin Pitt wrote: > Eeek, indeed! Thanks for spotting. Thanks for improving and your other Debian work :-) smime.p7s Description: S/MIME cryptographic signature ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#846377: [systemd] /lib/systemd/systemd --user starts dbus-daemon without AFS token
Hello there, I'm affected with this as well. I've just run into this issue with a testing virtual machine. It looks like to me that it is also the cause of mate-panel not starting up along with dconf not being able to create a database in case of a user with AFS home directory. Speaking of it, it does not sound that good to allow anyone to look up the directory tree of this user because of that symlink to that service. If it helps maybe I can keep that vm to collect some logs, debug things, etc. I'm happy to hear about a better solution if there will be any :) István ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#868002: udev: README.Debian interface naming improvements
Hello Christoph, Christoph Anton Mitterer [2017-07-14 4:22 +0200]: > You used "/etc/systemd/network/dmz.link" > > Wouldn't it be better to use something like 10-dmz.link? Eeek, indeed! Thanks for spotting. https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=a9683ef10ce Martin ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
