On Sat, Sep 29, 2012 at 9:52 PM, Fons Adriaensen <fons@xxxxxxxxxxxxxx>wrote: > Hello all, > > During the past days I've been reading the sytemd manpages, and I'm > more or less prepared to reconfigure one the systems I manage to use > systemd. The main thing that scares me off is the 'consolekit style' > login management of systemd's logind. In particular the following > (from <http://www.freedesktop.org/wiki/Software/systemd/multiseat>): > > * A session is defined by the time a user is logged in until he logs > * out. A session is bound to one or no seats (the latter for 'virtual' > * ssh logins). > > and > > * Note that logind manages ACLs on a number of device classes, to allow > * user code to access the device nodes attached to a seat as long as the > * user has an active session on it. > > In the context I'm working in the whole 'seat' and 'session' thing, as > far as I can understand it, doesn't make much sense. > > An absolute requirement for the system I'd want to test systemd on (and > for many others I manage) is that there should be *no* difference at all > between a 'local' login and one via ssh. Whatever a user is allowed to > do or access should not depend on how he/she logs in, but only on his/her > unix login and group membership. Root can do all he wants, normal users are > as restricted as possible, and any exceptions to that are configured via > /etc/sudoers and nothing else. In particular there's no place for polkit > or anything similar here. > > I'd want things to be configured that way 'once and for all', meaning that > a) I'm not really looking forward to having to do this for each and every > device or command, and b) that a routine system update (a frequent enough > event on an Arch system) must not be able to modify this policy. > > >From reading the avaiable docs I'm not convinced this will be possible, in > particular since the docs concerning logind are rather incomplete (where > are > those ACLs defined for example). And 'ping Lennart if you need more info' > as > suggested, is not really a sustainable solution IMHO. > > So my question is: a) is it possible to configure a system as I want it, > and b) if yes, how ? > Well, you can disable the registering of systemd-logind sessions by deleting the lines with "pam_systemd.so" from the files /etc/pam.d/*. Not sure if that will be enough, or even wise. And now that you are into it, you could delete also the "pam_ck_connector.so" lines and see if it makes a difference. HTH -- Rodrigo
