From bf1b9ae487b65b1cb1639b222724fab95e508cf5 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 17 Feb 2023 22:49:16 +0100 Subject: pam_systemd: process the two new capabilities user records fields in pam_systemd And also: by default, for the systemd-user service and for local sessions (i.e. those assigned to a seat): let's imply CAP_WAKE_SYSTEM for them by default. Yes, let's pass one specific capability by default to local unprivileged users. The capability services exactly once purpose: to allow system wake-up from suspend via alarm clocks, hence is relatively limited in focus. By adding this tools such as GNOME's Alarm Clock app can simply allocate a CLOCK_REALTIME_ALARM (or ask systemd --user to do this) timer and it will wake up the system as necessary. Note that systemd --user will not pass the ambient caps on by default, so even with this change, individual services need to use AmbientCapabilities= to pass this on to the individual programs. Fixes: #17564 #21382 --- man/pam_systemd.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'man') diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml index 60b8577822..f2bd3de0b0 100644 --- a/man/pam_systemd.xml +++ b/man/pam_systemd.xml @@ -122,6 +122,22 @@ further details. + + default-capability-bounding-set= + default-capability-ambient-set= + + Takes a comma-separated list of process capabilities + (e.g. CAP_WAKE_ALARM, CAP_BLOCK_SUSPEND, …) to set for the + invoked session's processes, if the user record does not encode appropriate sets of capabilities + directly. See capabilities7 + for details on the capabilities concept. If not specified, the default bounding set is left as is + (i.e. usually contains the full set of capabilities). The default ambient set is set to + CAP_WAKE_ALARM for regular users if the PAM session is associated with a local + seat or if it is invoked for the systemd-user service. Otherwise defaults to the + empty set. + + debug= -- cgit v1.2.1