On Fri, Jun 03, 2016 at 11:28:42AM +0300, Oron Peled wrote: > On Thursday 02 June 2016 14:38:38 Matthias Clasen wrote: > > I think the discussion is starting to go in circles. It is pretty clear > > that we have different opinions about the desired behavior of logout. > > I'll take this as an opportunity to raise a separate issue. > > The current implementation has only 2 levels of control: global and individual (lingering). > For non-tiny organizations this isn't good enough: > * I would expect that root may set lingering for *groups* as well. That's not a bad idea. You might want to file an RFE at https://github.com/systemd/systemd/issues/new to move this forward. > * Otherwise, administrators need to set policy per-individual and we are back > to square one (killing individual user processes). > > * Than we can have better default policy (e.g: members of groups wheel > and staff have "lingering" on). > > * Example: something similar to access.conf(5) (but "<foo>.d/*.conf" not > a monolithic file). logind reads configuration snippets from /usr/lib/systemd/logind.conf.d/ and /etc/systemd/logind.conf.d/. It should be just a matter of extending the configuration directive parsing to support groups and whatnot. > * The design should assume that in the future, large organization would > expect it their directory service. > (e.g: like sudoers can now be integrated in IPA). I think polkit should have no issue with talking to IPA, so 'loginctl enable-linger' should support such policies already. If logind gained understanding of groups, this should work automatically too: it would use getpwent or similar call, which would query either the local database or the directory service, depending on local configuration. Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
