# SPDX-License-Identifier: LGPL-2.1+ # # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Login Service Documentation=man:systemd-logind.service(8) man:logind.conf(5) Documentation=https://www.freedesktop.org/wiki/Software/systemd/logind Documentation=https://www.freedesktop.org/wiki/Software/systemd/multiseat Wants=user.slice After=nss-user-lookup.target user.slice # Ask for the dbus socket. Wants=dbus.socket After=dbus.socket [Service] BusName=org.freedesktop.login1 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE DeviceAllow=block-* r DeviceAllow=char-/dev/console rw DeviceAllow=char-drm rw DeviceAllow=char-input rw DeviceAllow=char-tty rw DeviceAllow=char-vcs rw # Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm ExecStartPre=-/sbin/modprobe -abq drm ExecStart=/usr/lib/systemd/systemd-logind FileDescriptorStoreMax=512 #IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc /run Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown RuntimeDirectoryPreserve=yes StateDirectory=systemd/linger SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service WatchdogSec=3min # Increase the default a bit in order to allow many simultaneous logins since # we keep one fd open per session. LimitNOFILE=524288