Merge d4f1b642c2 into c946b13575

The file README.logs is installed only if SysVInit support is enabled.
Thus the link should depend on it as well.

hwdb.d/60-keyboard.hwdb

@@ -1438,6 +1438,11 @@ evdev:input:b0003v046DpC309*
  KEYBOARD_KEY_c01b6=images                              # My Pictures (F11)
  KEYBOARD_KEY_c01b7=audio                               # My Music (F12)
 
+# Logitech MX Keys for Mac
+evdev:input:b0003v046Dp4092*
+ KEYBOARD_KEY_70035=102nd                               # '<' key
+ KEYBOARD_KEY_70064=grave                               # '^' key
+
 ###########################################################
 # Maxdata
 ###########################################################

hwdb.d/60-sensor.hwdb

@@ -953,6 +953,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
  ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
 
+#########################################
+# Pine64
+#########################################
+
+# PineTab2
+
+sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
+ ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
+
 #########################################
 # Pipo
 #########################################

man/pam_systemd.xml

@@ -143,6 +143,10 @@
                 <entry><constant>manager-early</constant></entry>
                 <entry>Similar to <constant>manager</constant>, but for the root user. Compare with the <constant>user</constant> vs. <constant>user-early</constant> situation. (Added in v256.)</entry>
               </row>
+              <row>
+                <entry><constant>none</constant></entry>
+                <entry>Skips registering this session with logind. No session scope will be created, and the user service manager will not be started. (Added in v258.)</entry>
+              </row>
             </tbody>
           </tgroup>
         </table>

man/systemd-cryptenroll.xml

@@ -265,32 +265,11 @@
   </refsect1>
 
   <refsect1>
-    <title>Options</title>
+    <title>Unlocking</title>
 
-    <para>The following options are understood:</para>
+    <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
 
     <variablelist>
-      <varlistentry>
-        <term><option>--password</option></term>
-
-        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
-        <command>cryptsetup luksAddKey</command>, however may be combined with
-        <option>--wipe-slot=</option> in one call, see below.</para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--recovery-key</option></term>
-
-        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
-        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
-        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
-        </para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
 
@@ -328,7 +307,45 @@
 
         <xi:include href="version-info.xml" xpointer="v256"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>Simple Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll simple user input based
+    unlocking:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--password</option></term>
+
+        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
+        <command>cryptsetup luksAddKey</command>, however may be combined with
+        <option>--wipe-slot=</option> in one call, see below.</para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--recovery-key</option></term>
+
+        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
+        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
+        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
+        </para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>PKCS#11 Enrollment</title>
+
+    <para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
 
@@ -361,7 +378,15 @@
 
         <xi:include href="version-info.xml" xpointer="v248"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>FIDO2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
         <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@@ -461,7 +486,15 @@
 
         <xi:include href="version-info.xml" xpointer="v249"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>TPM2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll TPM2 devices:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
 
@@ -636,7 +669,15 @@
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
       </varlistentry>
+    </variablelist>
+  </refsect1>
 
+  <refsect1>
+    <title>Other Options</title>
+
+    <para>The following additional options are understood:</para>
+
+    <variablelist>
       <varlistentry>
         <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
 

po/uk.po

@@ -9,8 +9,8 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-20 19:13+0000\n"
-"Last-Translator: Dmytro Markevych <hotr1pak@gmail.com>\n"
+"PO-Revision-Date: 2024-11-21 19:38+0000\n"
+"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
 "systemd/main/uk/>\n"
 "Language: uk\n"
@@ -120,11 +120,11 @@ msgstr "Для оновлення домашньої теки користува
 
 #: src/home/org.freedesktop.home1.policy:53
 msgid "Update your home area"
-msgstr "Оновіть свій домашній простір"
+msgstr "Оновлення домашньої області"
 
 #: src/home/org.freedesktop.home1.policy:54
 msgid "Authentication is required to update your home area."
-msgstr "Для оновлення домашньої області потрібна автентифікація."
+msgstr "Для оновлення домашньої області слід пройти розпізнавання."
 
 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@@ -1215,7 +1215,7 @@ msgstr "Керування додатковими функціями"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"
-msgstr "Для керування додатковими функціями потрібна автентифікація"
+msgstr "Для керування додатковими можливостями слід пройти розпізнавання"
 
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"

shell-completion/bash/systemd-cryptenroll

@@ -38,19 +38,12 @@ __get_tpm2_devices() {
     done
 }
 
-__get_block_devices() {
-    local i
-    for i in /dev/*; do
-        [ -b "$i" ] && printf '%s\n' "$i"
-    done
-}
-
 _systemd_cryptenroll() {
     local comps
     local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
     local -A OPTS=(
         [STANDALONE]='-h --help --version
-                     --password --recovery-key'
+                     --password --recovery-key --list-devices'
         [ARG]='--unlock-key-file
                --unlock-fido2-device
                --unlock-tpm2-device
@@ -116,7 +109,7 @@ _systemd_cryptenroll() {
         return 0
     fi
 
-    comps=$(__get_block_devices)
+    comps=$(systemd-cryptenroll --list-devices)
     COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
     return 0
 }

src/core/service.c

@@ -3426,14 +3426,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
                         return 0;
                 }
 
-                r = service_add_fd_store(s, fd, fdn, do_poll);
+                r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll);
                 if (r < 0) {
                         log_unit_debug_errno(u, r,
                                              "Failed to store deserialized fd '%s', ignoring: %m", fdn);
                         return 0;
                 }
-
-                TAKE_FD(fd);
         } else if (streq(key, "extra-fd")) {
                 _cleanup_free_ char *fdv = NULL, *fdn = NULL;
                 _cleanup_close_ int fd = -EBADF;

src/cryptenroll/cryptenroll.c

@@ -193,7 +193,7 @@ static int help(void) {
                "\n%3$sSimple Enrollment:%4$s\n"
                "     --password        Enroll a user-supplied password\n"
                "     --recovery-key    Enroll a recovery key\n"
-               "\n%3$sPKCS11 Enrollment:%4$s\n"
+               "\n%3$sPKCS#11 Enrollment:%4$s\n"
                "     --pkcs11-token-uri=URI\n"
                "                       Specify PKCS#11 security token URI\n"
                "\n%3$sFIDO2 Enrollment:%4$s\n"

src/libsystemd/sd-varlink/varlink-util.c

@@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {
 
         int pidfd = sd_varlink_get_peer_pidfd(v);
         if (pidfd < 0) {
-                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
                         return pidfd;
 
                 pid_t pid;

src/login/logind-dbus.c

@@ -863,6 +863,27 @@ static int create_session(
         if (!uid_is_valid(uid))
                 return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid UID");
 
+        if (isempty(type))
+                t = _SESSION_TYPE_INVALID;
+        else {
+                t = session_type_from_string(type);
+                if (t < 0)
+                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS,
+                                                 "Invalid session type %s", type);
+        }
+
+        if (isempty(class))
+                c = _SESSION_CLASS_INVALID;
+        else {
+                c = session_class_from_string(class);
+                if (c < 0)
+                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS,
+                                                 "Invalid session class %s", class);
+                if (c == SESSION_NONE)
+                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS,
+                                                "Refusing session class %s", class);
+        }
+
         if (flags != 0)
                 return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Flags must be zero.");
 
@@ -882,24 +903,6 @@ static int create_session(
         if (leader.pid == 1 || leader.pid == getpid_cached())
                 return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid leader PID");
 
-        if (isempty(type))
-                t = _SESSION_TYPE_INVALID;
-        else {
-                t = session_type_from_string(type);
-                if (t < 0)
-                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS,
-                                                 "Invalid session type %s", type);
-        }
-
-        if (isempty(class))
-                c = _SESSION_CLASS_INVALID;
-        else {
-                c = session_class_from_string(class);
-                if (c < 0)
-                        return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS,
-                                                 "Invalid session class %s", class);
-        }
-
         if (isempty(desktop))
                 desktop = NULL;
         else {

src/login/logind-session.h

@@ -29,6 +29,7 @@ typedef enum SessionClass {
         SESSION_BACKGROUND_LIGHT,   /* Like SESSION_BACKGROUND, but without the service manager */
         SESSION_MANAGER,            /* The service manager */
         SESSION_MANAGER_EARLY,      /* The service manager for root (which is allowed to run before systemd-user-sessions.service) */
+        SESSION_NONE,               /* A session not registered with logind */
         _SESSION_CLASS_MAX,
         _SESSION_CLASS_INVALID = -EINVAL,
 } SessionClass;
@@ -44,7 +45,7 @@ typedef enum SessionClass {
 #define SESSION_CLASS_WANTS_SERVICE_MANAGER(class) IN_SET((class), SESSION_USER, SESSION_USER_EARLY, SESSION_GREETER, SESSION_LOCK_SCREEN, SESSION_BACKGROUND)
 
 /* Which session classes can pin our user tracking? */
-#define SESSION_CLASS_PIN_USER(class) (!IN_SET((class), SESSION_MANAGER, SESSION_MANAGER_EARLY))
+#define SESSION_CLASS_PIN_USER(class) (!IN_SET((class), SESSION_MANAGER, SESSION_MANAGER_EARLY, SESSION_NONE))
 
 /* Which session classes decide whether system is idle? (should only cover sessions that have input, and are not idle screens themselves)*/
 #define SESSION_CLASS_CAN_IDLE(class) (IN_SET((class), SESSION_USER, SESSION_USER_EARLY, SESSION_GREETER))

src/login/pam_systemd.c

@@ -390,116 +390,108 @@ static int export_legacy_dbus_address(
 }
 
 static int append_session_memory_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
-        uint64_t val;
         int r;
 
+        assert(handle);
+        assert(m);
+
         if (isempty(limit))
-                return PAM_SUCCESS;
+                return 0;
 
-        if (streq(limit, "infinity")) {
-                r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", UINT64_MAX);
-                if (r < 0)
-                        return pam_bus_log_create_error(handle, r);
-
-                return PAM_SUCCESS;
-        }
+        if (streq(limit, "infinity"))
+                return sd_bus_message_append(m, "(sv)", "MemoryMax", "t", UINT64_MAX);
 
         r = parse_permyriad(limit);
-        if (r >= 0) {
-                r = sd_bus_message_append(m, "(sv)", "MemoryMaxScale", "u", UINT32_SCALE_FROM_PERMYRIAD(r));
-                if (r < 0)
-                        return pam_bus_log_create_error(handle, r);
+        if (r < 0) {
+                uint64_t val;
+                r = parse_size(limit, 1024, &val);
+                if (r < 0) {
+                        pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.memory_max, ignoring: %s", limit);
+                        return PAM_SUCCESS;
+                }
 
-                return PAM_SUCCESS;
+                return sd_bus_message_append(m, "(sv)", "MemoryMax", "t", val);
         }
 
-        r = parse_size(limit, 1024, &val);
-        if (r >= 0) {
-                r = sd_bus_message_append(m, "(sv)", "MemoryMax", "t", val);
-                if (r < 0)
-                        return pam_bus_log_create_error(handle, r);
-
-                return PAM_SUCCESS;
-        }
-
-        pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.memory_max, ignoring: %s", limit);
-        return PAM_SUCCESS;
+        return sd_bus_message_append(m, "(sv)", "MemoryMaxScale", "u", UINT32_SCALE_FROM_PERMYRIAD(r));
 }
 
 static int append_session_runtime_max_sec(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
-        usec_t val;
         int r;
 
+        assert(handle);
+        assert(m);
+
         /* No need to parse "infinity" here, it will be set by default later in scope_init() */
         if (isempty(limit) || streq(limit, "infinity"))
-                return PAM_SUCCESS;
+                return 0;
 
+        usec_t val;
         r = parse_sec(limit, &val);
-        if (r >= 0) {
-                r = sd_bus_message_append(m, "(sv)", "RuntimeMaxUSec", "t", (uint64_t) val);
-                if (r < 0)
-                        return pam_bus_log_create_error(handle, r);
-        } else
+        if (r < 0) {
                 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.runtime_max_sec: %s, ignoring.", limit);
+                return 0;
+        }
 
-        return PAM_SUCCESS;
+        return sd_bus_message_append(m, "(sv)", "RuntimeMaxUSec", "t", (uint64_t) val);
 }
 
 static int append_session_tasks_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
-        uint64_t val;
         int r;
 
+        assert(handle);
+        assert(m);
+
         /* No need to parse "infinity" here, it will be set unconditionally later in manager_start_scope() */
         if (isempty(limit) || streq(limit, "infinity"))
-                return PAM_SUCCESS;
+                return 0;
 
+        uint64_t val;
         r = safe_atou64(limit, &val);
-        if (r >= 0) {
-                r = sd_bus_message_append(m, "(sv)", "TasksMax", "t", val);
-                if (r < 0)
-                        return pam_bus_log_create_error(handle, r);
-        } else
+        if (r < 0) {
                 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.tasks_max, ignoring: %s", limit);
+                return 0;
+        }
 
-        return PAM_SUCCESS;
+        return sd_bus_message_append(m, "(sv)", "TasksMax", "t", val);
 }
 
 static int append_session_cpu_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
-        uint64_t val;
         int r;
 
-        if (isempty(limit))
-                return PAM_SUCCESS;
+        assert(handle);
+        assert(m);
 
+        if (isempty(limit))
+                return 0;
+
+        uint64_t val;
         r = cg_cpu_weight_parse(limit, &val);
-        if (r < 0)
+        if (r < 0) {
                 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.cpu_weight, ignoring: %s", limit);
-        else {
-                r = sd_bus_message_append(m, "(sv)", "CPUWeight", "t", val);
-                if (r < 0)
-                        return pam_bus_log_create_error(handle, r);
+                return 0;
         }
 
-        return PAM_SUCCESS;
+        return sd_bus_message_append(m, "(sv)", "CPUWeight", "t", val);
 }
 
 static int append_session_io_weight(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
-        uint64_t val;
         int r;
 
-        if (isempty(limit))
-                return PAM_SUCCESS;
+        assert(handle);
+        assert(m);
 
+        if (isempty(limit))
+                return 0;
+
+        uint64_t val;
         r = cg_weight_parse(limit, &val);
-        if (r < 0)
+        if (r < 0) {
                 pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.io_weight, ignoring: %s", limit);
-        else {
-                r = sd_bus_message_append(m, "(sv)", "IOWeight", "t", val);
-                if (r < 0)
-                        return pam_bus_log_create_error(handle, r);
+                return 0;
         }
 
-        return PAM_SUCCESS;
+        return sd_bus_message_append(m, "(sv)", "IOWeight", "t", val);
 }
 
 static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
@@ -549,6 +541,26 @@ static bool getenv_harder_bool(pam_handle_t *handle, const char *key, bool fallb
         return r;
 }
 
+static uint32_t getenv_harder_uint32(pam_handle_t *handle, const char *key, uint32_t fallback) {
+        int r;
+
+        assert(handle);
+        assert(key);
+
+        const char *v = getenv_harder(handle, key, NULL);
+        if (isempty(v))
+                return fallback;
+
+        uint32_t u;
+        r = safe_atou32(v, &u);
+        if (r < 0) {
+                pam_syslog(handle, LOG_ERR, "Unsigned integer environment variable value of '%s' is not valid: %s", key, v);
+                return fallback;
+        }
+
+        return u;
+}
+
 static int update_environment(pam_handle_t *handle, const char *key, const char *value) {
         int r;
 
@@ -826,17 +838,15 @@ static uint64_t pick_default_capability_ambient_set(
 }
 
 typedef struct SessionContext {
-        const uid_t uid;
-        const pid_t pid;
         const char *service;
         const char *type;
         const char *class;
         const char *desktop;
         const char *seat;
-        const uint32_t vtnr;
+        uint32_t vtnr;
         const char *tty;
         const char *display;
-        const bool remote;
+        bool remote;
         const char *remote_user;
         const char *remote_host;
         const char *memory_max;
@@ -844,11 +854,13 @@ typedef struct SessionContext {
         const char *cpu_weight;
         const char *io_weight;
         const char *runtime_max_sec;
+        bool incomplete;
 } SessionContext;
 
 static int create_session_message(
                 sd_bus *bus,
                 pam_handle_t *handle,
+                UserRecord *ur,
                 const SessionContext *context,
                 bool avoid_pidfd,
                 sd_bus_message **ret) {
@@ -859,6 +871,7 @@ static int create_session_message(
 
         assert(bus);
         assert(handle);
+        assert(ur);
         assert(context);
         assert(ret);
 
@@ -872,21 +885,22 @@ static int create_session_message(
         if (r < 0)
                 return r;
 
-        r = sd_bus_message_append(m,
-                                  pidfd >= 0 ? "uhsssssussbss" : "uusssssussbss",
-                                  (uint32_t) context->uid,
-                                  pidfd >= 0 ? pidfd : context->pid,
-                                  context->service,
-                                  context->type,
-                                  context->class,
-                                  context->desktop,
-                                  context->seat,
-                                  context->vtnr,
-                                  context->tty,
-                                  context->display,
-                                  context->remote,
-                                  context->remote_user,
-                                  context->remote_host);
+        r = sd_bus_message_append(
+                        m,
+                        pidfd >= 0 ? "uhsssssussbss" : "uusssssussbss",
+                        (uint32_t) ur->uid,
+                        pidfd >= 0 ? pidfd : 0,
+                        context->service,
+                        context->type,
+                        context->class,
+                        context->desktop,
+                        context->seat,
+                        context->vtnr,
+                        context->tty,
+                        context->display,
+                        context->remote,
+                        context->remote_user,
+                        context->remote_host);
         if (r < 0)
                 return r;
 
@@ -901,23 +915,23 @@ static int create_session_message(
                 return r;
 
         r = append_session_memory_max(handle, m, context->memory_max);
-        if (r != PAM_SUCCESS)
+        if (r < 0)
                 return r;
 
         r = append_session_runtime_max_sec(handle, m, context->runtime_max_sec);
-        if (r != PAM_SUCCESS)
+        if (r < 0)
                 return r;
 
         r = append_session_tasks_max(handle, m, context->tasks_max);
-        if (r != PAM_SUCCESS)
+        if (r < 0)
                 return r;
 
         r = append_session_cpu_weight(handle, m, context->cpu_weight);
-        if (r != PAM_SUCCESS)
+        if (r < 0)
                 return r;
 
         r = append_session_io_weight(handle, m, context->io_weight);
-        if (r != PAM_SUCCESS)
+        if (r < 0)
                 return r;
 
         r = sd_bus_message_close_container(m);
@@ -928,10 +942,93 @@ static int create_session_message(
         return 0;
 }
 
-_public_ PAM_EXTERN int pam_sm_open_session(
+static void session_context_mangle(
                 pam_handle_t *handle,
-                int flags,
-                int argc, const char **argv) {
+                SessionContext *c,
+                UserRecord *ur,
+                bool debug) {
+
+        assert(handle);
+        assert(c);
+        assert(ur);
+
+        if (streq_ptr(c->service, "systemd-user")) {
+                /* If we detect that we are running in the "systemd-user" PAM stack, then let's patch the class to
+                 * 'manager' if not set, simply for robustness reasons. */
+                c->type = "unspecified";
+                c->class = IN_SET(user_record_disposition(ur), USER_INTRINSIC, USER_SYSTEM, USER_DYNAMIC) ?
+                        "manager-early" : "manager";
+                c->tty = NULL;
+
+        } else if (c->tty && strchr(c->tty, ':')) {
+                /* A tty with a colon is usually an X11 display, placed there to show up in utmp. We rearrange things
+                 * and don't pretend that an X display was a tty. */
+                if (isempty(c->display))
+                        c->display = c->tty;
+                c->tty = NULL;
+
+        } else if (streq_ptr(c->tty, "cron")) {
+                /* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but
+                 * probably because it wants to set it to something as pam_time/pam_access/… require PAM_TTY to be set
+                 * (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked
+                 * off processes.) */
+                c->type = "unspecified";
+                c->class = "background";
+                c->tty = NULL;
+
+        } else if (streq_ptr(c->tty, "ssh")) {
+                /* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further
+                 * details look for "PAM_TTY_KLUDGE" in the openssh sources). */
+                c->type = "tty";
+                c->class = "user";
+                c->tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though
+                               * usually associated with a pty — won't be tracked by their tty in
+                               * logind. This is because ssh does the PAM session registration early for new
+                               * connections, and registers a pty only much later (this is because it doesn't
+                               * know yet if it needs one at all, as whether to register a pty or not is
+                               * negotiated much later in the protocol). */
+
+        } else if (c->tty)
+                /* Chop off leading /dev prefix that some clients specify, but others do not. */
+                c->tty = skip_dev_prefix(c->tty);
+
+        if (!isempty(c->display) && !c->vtnr) {
+                if (isempty(c->seat))
+                        (void) get_seat_from_display(c->display, &c->seat, &c->vtnr);
+                else if (streq(c->seat, "seat0"))
+                        (void) get_seat_from_display(c->display, /* seat= */ NULL, &c->vtnr);
+        }
+
+        if (c->seat && !streq(c->seat, "seat0") && c->vtnr != 0) {
+                pam_debug_syslog(handle, debug, "Ignoring vtnr %"PRIu32" for %s which is not seat0", c->vtnr, c->seat);
+                c->vtnr = 0;
+        }
+
+        if (isempty(c->type))
+                c->type = !isempty(c->display) ? "x11" :
+                              !isempty(c->tty) ? "tty" : "unspecified";
+
+        if (isempty(c->class))
+                c->class = streq(c->type, "unspecified") ? "background" :
+                        ((IN_SET(user_record_disposition(ur), USER_INTRINSIC, USER_SYSTEM, USER_DYNAMIC) &&
+                         streq(c->type, "tty")) ? "user-early" : "user");
+
+        if (c->incomplete) {
+                if (streq(c->class, "user"))
+                        c->class = "user-incomplete";
+                else
+                        pam_syslog_pam_error(handle, LOG_WARNING, 0, "PAM session of class '%s' is incomplete, which is not supported, ignoring.", c->class);
+        }
+
+        c->remote = !isempty(c->remote_host) && !is_localhost(c->remote_host);
+}
+
+static int register_session(
+                pam_handle_t *handle,
+                SessionContext *c,
+                UserRecord *ur,
+                bool debug,
+                char **ret_seat) {
 
         /* Let's release the D-Bus connection once this function exits, after all the session might live
          * quite a long time, and we are not going to process the bus connection in that time, so let's
@@ -939,152 +1036,21 @@ _public_ PAM_EXTERN int pam_sm_open_session(
         _cleanup_(pam_bus_data_disconnectp) PamBusData *d = NULL;
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
         _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL, *reply = NULL;
-        const char
-                *id, *object_path, *runtime_path,
-                *service = NULL,
-                *tty = NULL, *display = NULL,
-                *remote_user = NULL, *remote_host = NULL,
-                *seat = NULL,
-                *type = NULL, *class = NULL,
-                *class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL, *desktop_pam = NULL,
-                *memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL, *runtime_max_sec = NULL;
-        uint64_t default_capability_bounding_set = UINT64_MAX, default_capability_ambient_set = UINT64_MAX;
         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
-        _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
-        int session_fd = -EBADF, existing, r;
-        bool debug = false, remote, incomplete;
-        uint32_t vtnr = 0;
-        uid_t original_uid;
+        int r;
 
         assert(handle);
-
-        pam_log_setup();
-
-        if (parse_argv(handle,
-                       argc, argv,
-                       &class_pam,
-                       &type_pam,
-                       &desktop_pam,
-                       &debug,
-                       &default_capability_bounding_set,
-                       &default_capability_ambient_set) < 0)
-                return PAM_SESSION_ERR;
-
-        pam_debug_syslog(handle, debug, "pam-systemd initializing");
-
-        r = acquire_user_record(handle, &ur);
-        if (r != PAM_SUCCESS)
-                return r;
+        assert(c);
+        assert(ur);
+        assert(ret_seat);
 
         /* Make most of this a NOP on non-logind systems */
         if (!logind_running())
-                goto success;
+                goto skip;
 
-        r = pam_get_item_many(
-                        handle,
-                        PAM_SERVICE, &service,
-                        PAM_XDISPLAY, &display,
-                        PAM_TTY, &tty,
-                        PAM_RUSER, &remote_user,
-                        PAM_RHOST, &remote_host);
-        if (r != PAM_SUCCESS)
-                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM items: @PAMERR@");
-
-        seat = getenv_harder(handle, "XDG_SEAT", NULL);
-        cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
-        type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
-        class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
-        desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
-        incomplete = getenv_harder_bool(handle, "XDG_SESSION_INCOMPLETE", false);
-
-        if (streq_ptr(service, "systemd-user")) {
-                /* If we detect that we are running in the "systemd-user" PAM stack, then let's patch the class to
-                 * 'manager' if not set, simply for robustness reasons. */
-                type = "unspecified";
-                class = IN_SET(user_record_disposition(ur), USER_INTRINSIC, USER_SYSTEM, USER_DYNAMIC) ?
-                        "manager-early" : "manager";
-                tty = NULL;
-
-        } else if (tty && strchr(tty, ':')) {
-                /* A tty with a colon is usually an X11 display, placed there to show up in utmp. We rearrange things
-                 * and don't pretend that an X display was a tty. */
-                if (isempty(display))
-                        display = tty;
-                tty = NULL;
-
-        } else if (streq_ptr(tty, "cron")) {
-                /* cron is setting PAM_TTY to "cron" for some reason (the commit carries no information why, but
-                 * probably because it wants to set it to something as pam_time/pam_access/… require PAM_TTY to be set
-                 * (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked
-                 * off processes.) */
-                type = "unspecified";
-                class = "background";
-                tty = NULL;
-
-        } else if (streq_ptr(tty, "ssh")) {
-                /* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further
-                 * details look for "PAM_TTY_KLUDGE" in the openssh sources). */
-                type = "tty";
-                class = "user";
-                tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though usually
-                             * associated with a pty — won't be tracked by their tty in logind. This is because ssh
-                             * does the PAM session registration early for new connections, and registers a pty only
-                             * much later (this is because it doesn't know yet if it needs one at all, as whether to
-                             * register a pty or not is negotiated much later in the protocol). */
-
-        } else if (tty)
-                /* Chop off leading /dev prefix that some clients specify, but others do not. */
-                tty = skip_dev_prefix(tty);
-
-        /* If this fails vtnr will be 0, that's intended */
-        if (!isempty(cvtnr))
-                (void) safe_atou32(cvtnr, &vtnr);
-
-        if (!isempty(display) && !vtnr) {
-                if (isempty(seat))
-                        (void) get_seat_from_display(display, &seat, &vtnr);
-                else if (streq(seat, "seat0"))
-                        (void) get_seat_from_display(display, NULL, &vtnr);
-        }
-
-        if (seat && !streq(seat, "seat0") && vtnr != 0) {
-                pam_debug_syslog(handle, debug, "Ignoring vtnr %"PRIu32" for %s which is not seat0", vtnr, seat);
-                vtnr = 0;
-        }
-
-        if (isempty(type))
-                type = !isempty(display) ? "x11" :
-                           !isempty(tty) ? "tty" : "unspecified";
-
-        if (isempty(class))
-                class = streq(type, "unspecified") ? "background" :
-                        ((IN_SET(user_record_disposition(ur), USER_INTRINSIC, USER_SYSTEM, USER_DYNAMIC) &&
-                         streq(type, "tty")) ? "user-early" : "user");
-
-        if (incomplete) {
-                if (streq(class, "user"))
-                        class = "user-incomplete";
-                else
-                        pam_syslog_pam_error(handle, LOG_WARNING, 0, "PAM session of class '%s' is incomplete, which is not supported, ignoring.", class);
-        }
-
-        remote = !isempty(remote_host) && !is_localhost(remote_host);
-
-        r = pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
-        if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
-                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.memory_max data: @PAMERR@");
-        r = pam_get_data(handle, "systemd.tasks_max",  (const void **)&tasks_max);
-        if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
-                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.tasks_max data: @PAMERR@");
-        r = pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
-        if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
-                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.cpu_weight data: @PAMERR@");
-        r = pam_get_data(handle, "systemd.io_weight",  (const void **)&io_weight);
-        if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
-                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.io_weight data: @PAMERR@");
-        r = pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec);
-        if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA))
-                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM systemd.runtime_max_sec data: @PAMERR@");
+        /* We don't register session class none with logind */
+        if (streq(c->class, "none"))
+                goto skip;
 
         /* Talk to logind over the message bus */
         r = pam_acquire_bus_connection(handle, "pam-systemd", debug, &bus, &d);
@@ -1095,41 +1061,22 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                          "Asking logind to create session: "
                          "uid="UID_FMT" pid="PID_FMT" service=%s type=%s class=%s desktop=%s seat=%s vtnr=%"PRIu32" tty=%s display=%s remote=%s remote_user=%s remote_host=%s",
                          ur->uid, getpid_cached(),
-                         strempty(service),
-                         type, class, strempty(desktop),
-                         strempty(seat), vtnr, strempty(tty), strempty(display),
-                         yes_no(remote), strempty(remote_user), strempty(remote_host));
+                         strempty(c->service),
+                         c->type, c->class, strempty(c->desktop),
+                         strempty(c->seat), c->vtnr, strempty(c->tty), strempty(c->display),
+                         yes_no(c->remote), strempty(c->remote_user), strempty(c->remote_host));
         pam_debug_syslog(handle, debug,
                          "Session limits: "
                          "memory_max=%s tasks_max=%s cpu_weight=%s io_weight=%s runtime_max_sec=%s",
-                         strna(memory_max), strna(tasks_max), strna(cpu_weight), strna(io_weight), strna(runtime_max_sec));
+                         strna(c->memory_max), strna(c->tasks_max), strna(c->cpu_weight), strna(c->io_weight), strna(c->runtime_max_sec));
 
-        const SessionContext context = {
-                .uid = ur->uid,
-                .pid = 0,
-                .service = service,
-                .type = type,
-                .class = class,
-                .desktop = desktop,
-                .seat = seat,
-                .vtnr = vtnr,
-                .tty = tty,
-                .display = display,
-                .remote = remote,
-                .remote_user = remote_user,
-                .remote_host = remote_host,
-                .memory_max = memory_max,
-                .tasks_max = tasks_max,
-                .cpu_weight = cpu_weight,
-                .io_weight = io_weight,
-                .runtime_max_sec = runtime_max_sec,
-        };
-
-        r = create_session_message(bus,
-                                   handle,
-                                   &context,
-                                   /* avoid_pidfd = */ false,
-                                   &m);
+        r = create_session_message(
+                        bus,
+                        handle,
+                        ur,
+                        c,
+                        /* avoid_pidfd = */ false,
+                        &m);
         if (r < 0)
                 return pam_bus_log_create_error(handle, r);
 
@@ -1142,7 +1089,8 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                 m = sd_bus_message_unref(m);
                 r = create_session_message(bus,
                                            handle,
-                                           &context,
+                                           ur,
+                                           c,
                                            /* avoid_pidfd = */ true,
                                            &m);
                 if (r < 0)
@@ -1155,7 +1103,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                         /* We are already in a session, don't do anything */
                         pam_debug_syslog(handle, debug,
                                          "Not creating session: %s", bus_error_message(&error, r));
-                        goto success;
+                        goto skip;
                 }
 
                 pam_syslog(handle, LOG_ERR,
@@ -1163,23 +1111,27 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                 return PAM_SESSION_ERR;
         }
 
-        r = sd_bus_message_read(reply,
-                                "soshusub",
-                                &id,
-                                &object_path,
-                                &runtime_path,
-                                &session_fd,
-                                &original_uid,
-                                &seat,
-                                &vtnr,
-                                &existing);
+        const char *id, *object_path, *runtime_path, *real_seat;
+        int session_fd = -EBADF, existing;
+        uint32_t original_uid, real_vtnr;
+        r = sd_bus_message_read(
+                        reply,
+                        "soshusub",
+                        &id,
+                        &object_path,
+                        &runtime_path,
+                        &session_fd,
+                        &original_uid,
+                        &real_seat,
+                        &real_vtnr,
+                        &existing);
         if (r < 0)
                 return pam_bus_log_parse_error(handle, r);
 
         pam_debug_syslog(handle, debug,
                          "Reply from logind: "
                          "id=%s object_path=%s runtime_path=%s session_fd=%d seat=%s vtnr=%u original_uid=%u",
-                         id, object_path, runtime_path, session_fd, seat, vtnr, original_uid);
+                         id, object_path, runtime_path, session_fd, real_seat, real_vtnr, original_uid);
 
         /* Please update manager_default_environment() in core/manager.c accordingly if more session envvars
          * shall be added. */
@@ -1202,38 +1154,25 @@ _public_ PAM_EXTERN int pam_sm_open_session(
          * somewhere else (for example PAM module parameters). Let's now update the environment variables, so that this
          * data is inherited into the session processes, and programs can rely on them to be initialized. */
 
-        r = update_environment(handle, "XDG_SESSION_TYPE", type);
+        r = update_environment(handle, "XDG_SESSION_TYPE", c->type);
         if (r != PAM_SUCCESS)
                 return r;
 
-        r = update_environment(handle, "XDG_SESSION_CLASS", class);
+        r = update_environment(handle, "XDG_SESSION_CLASS", c->class);
         if (r != PAM_SUCCESS)
                 return r;
 
-        r = update_environment(handle, "XDG_SESSION_DESKTOP", desktop);
+        r = update_environment(handle, "XDG_SESSION_DESKTOP", c->desktop);
         if (r != PAM_SUCCESS)
                 return r;
 
-        r = update_environment(handle, "XDG_SEAT", seat);
+        r = update_environment(handle, "XDG_SEAT", real_seat);
         if (r != PAM_SUCCESS)
                 return r;
 
-        static const char *const propagate[] = {
-                "shell.prompt.prefix", "SHELL_PROMPT_PREFIX",
-                "shell.prompt.suffix", "SHELL_PROMPT_SUFFIX",
-                "shell.welcome",       "SHELL_WELCOME",
-                NULL
-        };
-
-        STRV_FOREACH_PAIR(k, v, propagate) {
-                r = propagate_credential_to_environment(handle, *k, *v);
-                if (r != PAM_SUCCESS)
-                        return r;
-        }
-
-        if (vtnr > 0) {
-                char buf[DECIMAL_STR_MAX(vtnr)];
-                sprintf(buf, "%u", vtnr);
+        if (real_vtnr > 0) {
+                char buf[DECIMAL_STR_MAX(real_vtnr)];
+                sprintf(buf, "%u", real_vtnr);
 
                 r = update_environment(handle, "XDG_VTNR", buf);
                 if (r != PAM_SUCCESS)
@@ -1255,9 +1194,115 @@ _public_ PAM_EXTERN int pam_sm_open_session(
                 TAKE_FD(fd);
         }
 
-success:
+        /* Everything worked, hence let's patch in the data we learned. Since 'real_set' points into the
+         * D-Bus message, let's copy it and return it as a buffer */
+        char *rs = strdup(real_seat);
+        if (!rs)
+                return pam_log_oom(handle);
+
+        c->seat = *ret_seat = rs;
+        c->vtnr = real_vtnr;
+
+        return PAM_SUCCESS;
+
+skip:
+        *ret_seat = NULL;
+        return PAM_SUCCESS;
+}
+
+static int import_shell_credentials(pam_handle_t *handle) {
+
+        static const char *const propagate[] = {
+                "shell.prompt.prefix", "SHELL_PROMPT_PREFIX",
+                "shell.prompt.suffix", "SHELL_PROMPT_SUFFIX",
+                "shell.welcome",       "SHELL_WELCOME",
+                NULL
+        };
+        int r;
+
+        assert(handle);
+
+        STRV_FOREACH_PAIR(k, v, propagate) {
+                r = propagate_credential_to_environment(handle, *k, *v);
+                if (r != PAM_SUCCESS)
+                        return r;
+        }
+
+        return PAM_SUCCESS;
+}
+
+_public_ PAM_EXTERN int pam_sm_open_session(
+                pam_handle_t *handle,
+                int flags,
+                int argc, const char **argv) {
+
+        int r;
+
+        assert(handle);
+
+        pam_log_setup();
+
+        uint64_t default_capability_bounding_set = UINT64_MAX, default_capability_ambient_set = UINT64_MAX;
+        const char *class_pam = NULL, *type_pam = NULL, *desktop_pam = NULL;
+        bool debug = false;
+        if (parse_argv(handle,
+                       argc, argv,
+                       &class_pam,
+                       &type_pam,
+                       &desktop_pam,
+                       &debug,
+                       &default_capability_bounding_set,
+                       &default_capability_ambient_set) < 0)
+                return PAM_SESSION_ERR;
+
+        pam_debug_syslog(handle, debug, "pam-systemd initializing");
+
+        _cleanup_(user_record_unrefp) UserRecord *ur = NULL;
+        r = acquire_user_record(handle, &ur);
+        if (r != PAM_SUCCESS)
+                return r;
+
+        SessionContext c = {};
+        r = pam_get_item_many(
+                        handle,
+                        PAM_SERVICE,  &c.service,
+                        PAM_XDISPLAY, &c.display,
+                        PAM_TTY,      &c.tty,
+                        PAM_RUSER,    &c.remote_user,
+                        PAM_RHOST,    &c.remote_host);
+        if (r != PAM_SUCCESS)
+                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM items: @PAMERR@");
+
+        c.seat = getenv_harder(handle, "XDG_SEAT", NULL);
+        c.vtnr = getenv_harder_uint32(handle, "XDG_VTNR", 0);
+        c.type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
+        c.class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
+        c.desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
+        c.incomplete = getenv_harder_bool(handle, "XDG_SESSION_INCOMPLETE", false);
+
+        r = pam_get_data_many(
+                        handle,
+                        "systemd.memory_max",      &c.memory_max,
+                        "systemd.tasks_max",       &c.tasks_max,
+                        "systemd.cpu_weight",      &c.cpu_weight,
+                        "systemd.io_weight",       &c.io_weight,
+                        "systemd.runtime_max_sec", &c.runtime_max_sec);
+        if (r != PAM_SUCCESS)
+                return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get PAM data: @PAMERR@");
+
+        session_context_mangle(handle, &c, ur, debug);
+
+        _cleanup_free_ char *seat_buffer = NULL;
+        r = register_session(handle, &c, ur, debug, &seat_buffer);
+        if (r != PAM_SUCCESS)
+                return r;
+
+        r = import_shell_credentials(handle);
+        if (r != PAM_SUCCESS)
+                return r;
+
         if (default_capability_ambient_set == UINT64_MAX)
-                default_capability_ambient_set = pick_default_capability_ambient_set(ur, service, seat);
+                default_capability_ambient_set = pick_default_capability_ambient_set(ur, c.service, c.seat);
 
         return apply_user_record_settings(handle, ur, debug, default_capability_bounding_set, default_capability_ambient_set);
 }

src/shared/pam-util.c

@@ -253,17 +253,17 @@ int pam_get_item_many_internal(pam_handle_t *handle, ...) {
         va_list ap;
         int r;
 
+        assert(handle);
+
         va_start(ap, handle);
         for (;;) {
                 int item_type = va_arg(ap, int);
-
                 if (item_type <= 0) {
                         r = PAM_SUCCESS;
                         break;
                 }
 
                 const void **value = ASSERT_PTR(va_arg(ap, const void **));
-
                 r = pam_get_item(handle, item_type, value);
                 if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS))
                         break;
@@ -273,6 +273,30 @@ int pam_get_item_many_internal(pam_handle_t *handle, ...) {
         return r;
 }
 
+int pam_get_data_many_internal(pam_handle_t *handle, ...) {
+        va_list ap;
+        int r;
+
+        assert(handle);
+
+        va_start(ap, handle);
+        for (;;) {
+                const char *data_name = va_arg(ap, const char *);
+                if (!data_name) {
+                        r = PAM_SUCCESS;
+                        break;
+                }
+
+                const void **value = ASSERT_PTR(va_arg(ap, const void **));
+                r = pam_get_data(handle, data_name, value);
+                if (!IN_SET(r, PAM_NO_MODULE_DATA, PAM_SUCCESS))
+                        break;
+        }
+        va_end(ap);
+
+        return r;
+}
+
 int pam_prompt_graceful(pam_handle_t *handle, int style, char **ret_response, const char *fmt, ...) {
         va_list args;
         int r;

src/shared/pam-util.h

@@ -44,7 +44,9 @@ int pam_get_bus_data(pam_handle_t *handle, const char *module_name, PamBusData *
 void pam_cleanup_free(pam_handle_t *handle, void *data, int error_status);
 
 int pam_get_item_many_internal(pam_handle_t *handle, ...);
-
 #define pam_get_item_many(handle, ...) pam_get_item_many_internal(handle, __VA_ARGS__, -1)
 
+int pam_get_data_many_internal(pam_handle_t *handle, ...);
+#define pam_get_data_many(handle, ...) pam_get_data_many_internal(handle, __VA_ARGS__, NULL)
+
 int pam_prompt_graceful(pam_handle_t *handle, int style, char **ret_response, const char *fmt, ...) _printf_(4,5);

src/shared/tpm2-util.h

@@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
 int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
 
 int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
-int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
+int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
 
 /* Default to PCR 7 only */
 #define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)

src/userdb/userdbctl.c

@@ -23,6 +23,7 @@
 #include "user-util.h"
 #include "userdb.h"
 #include "verbs.h"
+#include "virt.h"
 
 static enum {
         OUTPUT_CLASSIC,
@@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
         return 0;
 }
 
+static bool test_show_mapped(void) {
+        /* Show mapped user range only in environments where user mapping is a thing. */
+        return running_in_userns() > 0;
+}
+
 static const struct {
         uid_t first, last;
         const char *name;
         UserDisposition disposition;
+        bool (*test)(void);
 } uid_range_table[] = {
         {
                 .first = 1,
@@ -175,11 +182,12 @@ static const struct {
                 .last = MAP_UID_MAX,
                 .name = "mapped",
                 .disposition = USER_REGULAR,
+                .test = test_show_mapped,
         },
 };
 
 static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;
 
         assert(table);
 
@@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                 if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                         continue;
 
+                if (i->test && !i->test())
+                        continue;
+
                 name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                                " begin ", i->name, " users ",
                                special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                                 TABLE_INT, 1); /* sort after any other entry with the same UID */
                 if (r < 0)
                         return table_log_add_error(r);
+
+                n_added += 2;
         }
 
-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }
 
 static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
 }
 
 static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;
 
         assert(table);
 
         FOREACH_ELEMENT(i, uid_range_table) {
                 _cleanup_free_ char *name = NULL, *comment = NULL;
 
+                if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
+                        continue;
+
                 if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                         continue;
 
+                if (i->test && !i->test())
+                        continue;
+
                 name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                                " begin ", i->name, " groups ",
                                special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
                                 TABLE_INT, 1); /* sort after any other entry with the same GID */
                 if (r < 0)
                         return table_log_add_error(r);
+
+                n_added += 2;
         }
 
-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }
 
 static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {

tmpfiles.d/20-systemd-shell-extra.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 {% if LINK_SHELL_EXTRA_DROPIN %}
 L$ {{SHELLPROFILEDIR}}/70-systemd-shell-extra.sh - - - - {{LIBEXECDIR}}/profile.d/70-systemd-shell-extra.sh

tmpfiles.d/20-systemd-ssh-generator.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 {% if LINK_SSH_PROXY_DROPIN %}
 L$ {{SSHCONFDIR}}/20-systemd-ssh-proxy.conf - - - - {{LIBEXECDIR}}/ssh_config.d/20-systemd-ssh-proxy.conf

tmpfiles.d/20-systemd-stub.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Copy systemd-stub provided metadata such as PCR signature and public key file
 # from initrd into /run/, so that it will survive the initrd stage

tmpfiles.d/20-systemd-userdb.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 {% if LINK_SSHD_USERDB_DROPIN %}
 L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf

tmpfiles.d/credstore.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 d /etc/credstore 0700 root root
 d /etc/credstore.encrypted 0700 root root

tmpfiles.d/etc.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 L /etc/os-release - - - - ../usr/lib/os-release
 L+ /etc/mtab - - - - ../proc/self/mounts

tmpfiles.d/home.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 Q /home 0755 - - -
 q /srv 0755 - - -

tmpfiles.d/journal-nocow.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Set the NOCOW attribute for directories of journal files. This flag
 # is inherited by their new files and sub-directories. Matters only

tmpfiles.d/legacy.conf.in

@@ -5,26 +5,28 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
-# These files are considered legacy and are unnecessary on legacy-free
-# systems.
+# The functionality provided by these files and directories has been replaced
+# by newer interfaces. Their use is discouraged on legacy-free systems. This
+# configuration is provided to maintain backward compatibility.
 
 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
+
+{% if HAVE_SYSV_COMPAT %}
 {% if CREATE_LOG_DIRS %}
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}
 
 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
-
 d /run/lock/subsys 0755 root root -
 
 # /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
 # kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
 # 'quotacheck.mode=force'
-
 r! /forcefsck
 r! /fastboot
 r! /forcequotacheck
+{% endif %}

tmpfiles.d/meson.build

@@ -35,7 +35,7 @@ in_files = [
         ['20-systemd-stub.conf',          'ENABLE_EFI'],
         ['20-systemd-userdb.conf',        'ENABLE_SSH_USERDB_CONFIG'],
         ['etc.conf'],
-        ['legacy.conf',                   'HAVE_SYSV_COMPAT'],
+        ['legacy.conf'],
         ['static-nodes-permissions.conf'],
         ['systemd.conf'],
         ['var.conf'],

tmpfiles.d/portables.conf

@@ -1,4 +1,4 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 Q /var/lib/portables 0700

tmpfiles.d/provision.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Provision additional login messages from credentials, if they are set. Note
 # that these lines are NOPs if the credentials are not set or if the files

tmpfiles.d/systemd-network.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 d$ /run/systemd/netif        0755 systemd-network systemd-network -
 d$ /run/systemd/netif/links  0755 systemd-network systemd-network -

tmpfiles.d/systemd-nspawn.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 Q /var/lib/machines 0700 - - -
 

tmpfiles.d/systemd-resolve.conf

@@ -5,6 +5,6 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf

tmpfiles.d/systemd-tmp.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Exclude namespace mountpoints created with PrivateTmp=yes
 x /tmp/systemd-private-%b-*

tmpfiles.d/systemd.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 d /run/user 0755 root root -
 {% if ENABLE_UTMP %}

tmpfiles.d/tmp.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Clear tmp directories separately, to make them easier to override
 q /tmp 1777 root root 10d

tmpfiles.d/var.conf.in

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 q /var 0755 - - -
 

tmpfiles.d/x11.conf

@@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 
 # Make sure these are created by default so that nobody else can
 # or empty them at startup