How are PAM sessions applied to systemd user services?

Question

Each time you log in in as a user, you get a new PAM session. E.g. I believe people have used pam_group to add your session's processes to groups for access to certain devices, if you log on to a local terminal.

pam_systemd starts one systemd --user instance, which is shared between all the user's login sessions. Nowadays, e.g. in Fedora 26, you will see all gnome-terminal processes are actually started by systemd --user. So that's where your terminal commands run. They do not run in the systemd session scopes that are created for each individual login...

How is the single systemd --user instance, and the processes it creates, affected by the PAM sessions?

Answer 1

pam_systemd is documented as starting systemd --user using user@.service.

user@.service uses PAMName=, so it runs inside a dedicated PAM session. pam_systemd has a special-case for PAMName=systemd-user, so that starting user@.service does not recurse infinitely or deadlock. (Also this process doesn't get put in a new session scope unit).

$ systemctl cat user@
# /usr/lib/systemd/system/user@.service
[Unit]
Description=User Manager for UID %i
After=systemd-user-sessions.service
[Service]
User=%i
PAMName=systemd-user
Type=notify
ExecStart=-/usr/lib/systemd/systemd --user
Slice=user-%i.slice
KillMode=mixed
Delegate=yes
TasksMax=infinity
TimeoutStopSec=120s

---

pam_systemd does not really work with features tied to the PAM session that vary based on the individual TTY. Instead, logind uses ACLs to grant the logged in user access to certain devices. As long as the PAM session is open, any process with that UID will be able to access them.

logind also has a DBus interface which allows one process of that user to open certain devices, intended for the display server e.g. X Windows. It has code to handle switching VTs, and multiple "seats" (groups of devices).