1# SPDX-License-Identifier: LGPL-2.1-or-later 2# 3# This file is part of systemd. 4# 5# systemd is free software; you can redistribute it and/or modify it 6# under the terms of the GNU Lesser General Public License as published by 7# the Free Software Foundation; either version 2.1 of the License, or 8# (at your option) any later version. 9 10[Unit] 11Description=User Login Management 12Documentation=man:sd-login(3) 13Documentation=man:systemd-logind.service(8) 14Documentation=man:logind.conf(5) 15Documentation=man:org.freedesktop.login1(5) 16 17Wants=user.slice modprobe@drm.service 18After=nss-user-lookup.target user.slice modprobe@drm.service 19 20# Ask for the dbus socket. 21Wants=dbus.socket 22After=dbus.socket 23 24[Service] 25BusName=org.freedesktop.login1 26CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE 27DeviceAllow=block-* r 28DeviceAllow=char-/dev/console rw 29DeviceAllow=char-drm rw 30DeviceAllow=char-input rw 31DeviceAllow=char-tty rw 32DeviceAllow=char-vcs rw 33ExecStart={{ROOTLIBEXECDIR}}/systemd-logind 34FileDescriptorStoreMax=512 35IPAddressDeny=any 36LockPersonality=yes 37MemoryDenyWriteExecute=yes 38NoNewPrivileges=yes 39PrivateTmp=yes 40# We don't use ProtectProc= since we need to look for usernames and tty for wall messages 41ProtectClock=yes 42ProtectControlGroups=yes 43ProtectHome=yes 44ProtectHostname=yes 45ProtectKernelLogs=yes 46ProtectKernelModules=yes 47ProtectSystem=strict 48ReadWritePaths=/etc /run 49Restart=always 50RestartSec=0 51RestrictAddressFamilies=AF_UNIX AF_NETLINK 52RestrictNamespaces=yes 53RestrictRealtime=yes 54RestrictSUIDSGID=yes 55RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown 56RuntimeDirectoryPreserve=yes 57StateDirectory=systemd/linger 58SystemCallArchitectures=native 59SystemCallErrorNumber=EPERM 60SystemCallFilter=@system-service 61{{SERVICE_WATCHDOG}} 62 63# Increase the default a bit in order to allow many simultaneous logins since 64# we keep one fd open per session. 65LimitNOFILE={{HIGH_RLIMIT_NOFILE}} 66