diff options
| author |   José Bollo <jose.bollo@iot.bzh> | 2018-02-28 20:07:23 +0100 |
|---|---|---|
| committer | José Bollo <jose.bollo@iot.bzh> | 2018-02-28 20:10:46 +0100 |
| commit | ae33f9100e3b67a8ce07e5ad8b1f0ee73867df6a (patch) | |
| tree | 9180f8dbd75ff481dae22f5944455f9b6218a0e1 /conf/README.md | |
| parent | a44174a09215e7b4dd56084662cc2a068404ffea (diff) | |
Refactor user session management
Change-Id: Ib6ba886df110d8a23e3760e1818263ec757b9c7c
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'conf/README.md')
| -rw-r--r-- | conf/README.md | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/conf/README.md b/conf/README.md new file mode 100644 index 0000000..e983328 --- /dev/null +++ b/conf/README.md @@ -0,0 +1,47 @@ +Configuration of af-main using systemd +====================================== + +Mechanism to start user sessions +-------------------------------- + +The mechanism to start a session for the user of **UID** is +to start the service **afm-user-session@UID.service**. + +This has the effect of starting a session. + +To achieve that goal the first is to start the user session. +This is done using the 2 systemd directives [1]: + + User=%i + PAMName=afm-user-session + +The first tells what is the user. %i is replaced by the parameter +of the service: UID. So the user is referenced here by its number. + +For this user, the PAM script **afm-user-session** is evaluated. +It is implmented by the file */etc/pam.d/afm-user-session*. +That script MUST refer to *pam_systemd.so* for opening the session +with systemd. It often takes the form of a line of the form: + + session optional pam_systemd.so + +that is directly or indirectly (through includes) activated by +**afm-user-session**. [2] [3] + +The effect of starting a systemd user session is to start the +user services and the most important one: dbus. + +When the user session is started, the service +**afm-user-session@UID.service** enters its second phase: +activation of the user session for the framework. + +This is achieved by activating the target **afm-user-session@.target**. +But activating a *system* unit from a *user* session is a +thing that has to be safe. This is done by the program +**afm-user-session**. This program runs as rot (with the set-uid) +and simply execute *systemctl --wait start afm-user-session@UID.target*. +Where *UID* is the user id of the calling process. + +[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html +[2] https://www.freedesktop.org/software/systemd/man/pam_systemd.html +[3] https://linux.die.net/man/5/pam.conf |