On Tue, Dec 28, 2021, 16:39 beroal <me@xxxxxxxxxxxx> wrote:
I was not aware of `PAMName`. After reading its documentation, it's still not clear to me what it does and how it can be used. What's a PAM session? Do you have any references? Google search wasn't very helpful. AFAIK from the PAM documentation, session is not an entity, for example, it has no identifier. Is it a session stored in logind?
It's the abstract thing between pam_open_session() and pam_close_session(). Each module has its own definition of what a session really is – pam_systemd makes it an entity that exists within systemd-logind, pam_loginuid makes it an entity that exists within the kernel's audit subsystem, pam_unix just writes "user foo logged in" to the syslog. I guess you could call the entire child process tree (including reparented ones) the session.
What PAMName= does is similar to your program: it initializes PAM with the provided name, skips pam_authenticate but calls pam_acct_mgmt and pam_open_session before starting the program. It's often used for auto-login services.
I would also like to know how systemd is supposed to handle authentication programs that can start a process for any user, not the one in the systemd unit file. I posted just a minimal example.
It doesn't get involved in those. If your program starts as root and "logs in" arbitrary users (like sshd or getty/login or lightdm), then it doesn't use PAMName= but continues calling PAM directly, like it always has.
