On Fri, Jun 03, 2016 at 11:28:42AM +0300, Oron Peled wrote:
On Thursday 02 June 2016 14:38:38 Matthias Clasen wrote:
> I think the discussion is starting to go in circles. It is pretty clear
> that we have different opinions about the desired behavior of logout.
I'll take this as an opportunity to raise a separate issue.
The current implementation has only 2 levels of control: global and individual
(lingering).
For non-tiny organizations this isn't good enough:
* I would expect that root may set lingering for *groups* as well.
That's not a bad idea. You might want to file an RFE at
https://github.com/systemd/systemd/issues/new to move this forward.
* Otherwise, administrators need to set policy per-individual and we
are back
to square one (killing individual user processes).
* Than we can have better default policy (e.g: members of groups wheel
and staff have "lingering" on).
* Example: something similar to access.conf(5) (but "<foo>.d/*.conf"
not
a monolithic file).
logind reads configuration snippets from /usr/lib/systemd/logind.conf.d/
and /etc/systemd/logind.conf.d/. It should be just a matter of extending
the configuration directive parsing to support groups and whatnot.
* The design should assume that in the future, large organization
would
expect it their directory service.
(e.g: like sudoers can now be integrated in IPA).
I think polkit should have no issue with talking to IPA, so 'loginctl
enable-linger' should support such policies already. If logind gained
understanding of groups, this should work automatically too: it would
use getpwent or similar call, which would query either the local
database or the directory service, depending on local configuration.
Zbyszek