diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-02-17 22:49:16 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-02-28 21:42:29 +0100 |
| commit | bf1b9ae487b65b1cb1639b222724fab95e508cf5 (patch) | |
| tree | 0672ac19ebde02266115215d6e44f435041381a4 /man | |
| parent | fada2c75a4ced4f8275a57ec2227389c070238f2 (diff) | |
| download | systemd-bf1b9ae487b65b1cb1639b222724fab95e508cf5.tar.gz | |
pam_systemd: process the two new capabilities user records fields in pam_systemd
And also: by default, for the systemd-user service and for local
sessions (i.e. those assigned to a seat): let's imply CAP_WAKE_SYSTEM
for them by default. Yes, let's pass one specific capability by default to local
unprivileged users.
The capability services exactly once purpose: to allow system wake-up
from suspend via alarm clocks, hence is relatively limited in focus. By
adding this tools such as GNOME's Alarm Clock app can simply allocate a
CLOCK_REALTIME_ALARM (or ask systemd --user to do this) timer and it
will wake up the system as necessary.
Note that systemd --user will not pass the ambient caps on by default,
so even with this change, individual services need to use
AmbientCapabilities= to pass this on to the individual programs.
Fixes: #17564 #21382
Diffstat (limited to 'man')
| -rw-r--r-- | man/pam_systemd.xml | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index 60b8577822..f2bd3de0b0 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -123,6 +123,22 @@ </varlistentry> <varlistentry> + <term><varname>default-capability-bounding-set=</varname></term> + <term><varname>default-capability-ambient-set=</varname></term> + + <listitem><para>Takes a comma-separated list of process capabilities + (e.g. <constant>CAP_WAKE_ALARM</constant>, <constant>CAP_BLOCK_SUSPEND</constant>, …) to set for the + invoked session's processes, if the user record does not encode appropriate sets of capabilities + directly. See <citerefentry + project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details on the capabilities concept. If not specified, the default bounding set is left as is + (i.e. usually contains the full set of capabilities). The default ambient set is set to + <constant>CAP_WAKE_ALARM</constant> for regular users if the PAM session is associated with a local + seat or if it is invoked for the <literal>systemd-user</literal> service. Otherwise defaults to the + empty set.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>debug</varname><optional>=</optional></term> <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log |