logind
systemd 30 and newer include systemd-logind. This is a tiny daemon that manages user logins and seats in various ways.
See systemd-logind(8).service for more information. Please consult Multi-Seat on Linux for more information on the basic concepts.
The daemon provides both a C library interface as well as a D-Bus interface. The library interface may be used to introspect and watch the state of user logins or seat. The bus interface provides the same but in addition may also be used to make changes to system state. For more information please consult the man pages: sd-login(7)
If you are interested in writing a display manager that makes use of logind, please have look at Writing Display Managers. If you are interested in writing a desktop environment that makes use of logind, please have look at Writing Desktop Environments.
The inhibition logic is documented in Inhibitor Locks.
The Manager Object
The service exposes the following interfaces on the Manager object on the bus:
$ gdbus introspect --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1
node /org/freedesktop/login1 {
interface org.freedesktop.login1.Manager {
methods:
GetSession(in s id,
out o session);
GetSessionByPID(in u pid,
out o session);
GetUser(in u uid,
out o user);
GetSeat(in s id,
out o seat);
ListSessions(out a(susso) sessions);
ListUsers(out a(uso) users);
ListSeats(out a(so) seats);
CreateSession(...);
ReleaseSession(...);
ActivateSession(in s id);
ActivateSessionOnSeat(in s id,
in s seat);
LockSession(in s id);
UnlockSession(in s id);
LockSessions();
UnlockSessions();
KillSession(in s id,
in s who,
in s signal);
KillUser(in u uid,
in s signal);
TerminateSession(in s id);
TerminateUser(in u uid);
TerminateSeat(in s id);
SetUserLinger(in u uid,
in b b,
in b interactive);
AttachDevice(in s seat,
in s sysfs,
in b interactive);
FlushDevices(in b interactive);
PowerOff(in b interactive);
Reboot(in b interactive);
Suspend(in b interactive);
Hibernate(in b interactive);
HybridSleep(in b interactive);
CanPowerOff(out s result);
CanReboot(out s result);
CanSuspend(out s result);
CanHibernate(out s result);
CanHybridSleep(out s result);
Inhibit(in s what,
in s who,
in s why,
in s mode,
out h fd);
ListInhibitors(out a(ssssuu) inhibitors);
signals:
SessionNew(s id,
o path);
SessionRemoved(s id,
o path);
UserNew(u uid,
o path);
UserRemoved(u uid,
o path);
SeatNew(s id,
o path);
SeatRemoved(s id,
o path);
PrepareForShutdown(b active);
PrepareForSleep(b active);
properties:
readonly s ControlGroupHierarchy = '/user';
readonly as Controllers = [];
readonly as ResetControllers = ['cpu'];
readonly u NAutoVTs = 6;
readonly as KillOnlyUsers = [];
readonly as KillExcludeUsers = ['root'];
readonly b KillUserProcesses = false;
readonly b IdleHint = false;
readonly t IdleSinceHint = 1340873864854884;
readonly t IdleSinceHintMonotonic = 14409495315;
readonly s BlockInhibited = '';
readonly s DelayInhibited = '';
readonly t InhibitDelayMaxUSec = 5000000;
readonly s HandlePowerKey = 'poweroff';
readonly s HandleSuspendKey = 'suspend';
readonly s HandleHibernateKey = 'hibernate';
readonly s HandleLidSwitch = 'suspend';
readonly b PreparingForShutdown = false;
readonly b PreparingForSleep = false;
};
interface org.freedesktop.DBus.Properties {
};
interface org.freedesktop.DBus.Peer {
};
interface org.freedesktop.DBus.Introspectable {
};
};
Security
A number of operations are protected via the PolicyKit privilege system. SetUserLinger() requires the org.freedesktop.login1.set-user-linger privilege. AttachDevice() requires org.freedesktop.login1.attach-device and FlushDevices() org.freedesktop.login1.flush-devices. PowerOff(), Reboot(), Suspend(), Hibernate(), HybridSleep() require org.freedesktop.login1.power-off, org.freedesktop.login1.power-off-multiple-sessions, org.freedesktop.login1.power-off-ignore-inhibit, org.freedesktop.login1.reboot, org.freedesktop.login1.reboot-multiple-sessions, org.freedesktop.login1.reboot-ignore-inhibit, org.freedesktop.login1.suspend, org.freedesktop.login1.suspend-multiple-sessions, org.freedesktop.login1.suspend-ignore-inhibit, org.freedesktop.login1.hibernate, org.freedesktop.login1.hibernate-multiple-sessions resp. org.freedesktop.login1.hibernate-ignore-inhibit, depending whether there are other sessions around or active inhibits. Inhibit() is protected via either one of org.freedesktop.login1.inhibit-block-shutdown, org.freedesktop.login1.inhibit-delay-shutdown, org.freedesktop.login1.inhibit-block-sleep, org.freedesktop.login1.inhibit-delay-sleep, org.freedesktop.login1.inhibit-block-idle, org.freedesktop.login1.inhibit-handle-power-key, org.freedesktop.login1.inhibit-handle-suspend-key, org.freedesktop.login1.inhibit-handle-hibernate-key, org.freedesktop.login1.inhibit-handle-lid-switch depending on the lock type and mode taken.
The user_interaction boolean parameters can be used to control whether PolicyKit should interactively ask the user for authentication credentials if it needs to.
Methods
GetSession() may be used to get the session object path for the session with the specified ID. Similar, GetUser() and GetSeat() get the user resp. seat objects. GetSessionByPID() gets the session object of the session the specified PID belongs to if there is any.
ListSessions() returns an array with all current sessions. The structures in the array consist of the following fields: session id, user id, user name, seat id, session object path. If a session does not have a seat attached the seat id field will be an empty string.
ListUsers() returns an array with all currently logged in users. The structures in the array consist of the following fields: user id, user name, user object path.
ListSeats() returns an array with all currently available seats. The structure in the array consists of the following fields: seat id, seat object path.
CreateSession() and ReleaseSession() may be used to open or close login sessions. These calls should never be invoked directly by clients. Creating/closing sessions is exclusively the job of PAM and its pam_systemd module.
ActivateSession() brings the session with the specified ID into the foreground. ActivateSessionOnSeat() does the same, but only if the seat id matches.
LockSession() asks the session with the specified ID to activate the screen lock. UnlockSession() asks the session with the specified ID to remove an active screen lock, if there is any. This is implemented by sending out the Lock() and Unlock() signals from the respective session object which session managers are supposed to listen on.
LockSessions() asks all sessions to activate the screen locks. This may be used to lock any access to the machine in one action. Similar, UnlockSessions() asks all sessions to deactivate their screen locks.
KillSession() may be used to send a Unix signal to one or all processes of a session. As arguments it takes the session id, either the string "leader" or "all" and a signal number. If "leader" is passed only the session "leader" is killed. If "all" is passed all processes of the session are killed.
KillUser() may be used to send a Unix signal to all processes of a user. As argument it takes the user id and a signal number.
TerminateSession(), TerminateUser(), TerminateSeat() may be used to forcibly terminate one specific session, all processes of a user, resp. all sessions attached to a specific seat. The session, user, seat is identified by their respective IDs.
SetUserLinger() enables or disables user lingering. If enabled the runtime directory of a user is kept around and he may continue to run processes while he is logged out. If disabled the runtime directory goes away as soon as he logs out. Expects three arguments: the UID, a boolean whether to enable/disable and a boolean controlling the PolicyKit authorization interactivity (see above). Note that the user linger state is persistently stored on disk.
AttachDevice() may be used to assign a specific device to a specific seat. The device is identified by its /sys path, and must be eligible for seat assignments. Takes three arguments: the seat id, the sysfs path, and a boolean for controlling PolicyKit interactivity (see above). Device assignments are persistently stored to disk. To create a new seat, simply specify a previously unused seat id. For more information about the seat assignment logic see Multi-Seat for Linux.
FlushDevices() removes all explicit seat assignments for devices, resetting all assignments to the automatic defaults. The only argument this takes is the PolicyKit interactivity boolean (see above).
PowerOff(), Reboot(), Suspend(), Hibernate(), HybridSleep() results in the system being powered off, rebooted, suspend, hibernated or hibernated+suspended. The only argument is the PolicyKit interactivity boolean (see above). The main purpose of these calls is that they enforce PolicyKit policy and hence allow powering off/rebooting/suspending/hibernating even by unprivileged users. They also enforce inhibition locks. UIs should expose these calls as primary mechanism to poweroff/reboot/suspend/hibernate/hybrid-sleep the machine.
CanPowerOff(), CanReboot(), CanSuspend(), CanHibernate(), CanHybridSleep() tests whether the system supports the respective operation and whether the calling user is eligible for the desired operation. Returns one of "na", "yes", "no" or "challenge". If "na" is returned the operation is not available because hardware, kernel or drivers do not support it. If "yes" is returned the operation is supported and the user may execute the operation without further authentication. If "no" is returned the operation is available but the user is not allowed to execute the operation. If "challenge" is returned the operation is available, but only after authorization.
Inhibit() creates an inhibition lock. It takes four parameters: What, Who, Why and Mode. "What" is one or more of "shutdown", "sleep", "idle", "handle-power-key", "handle-suspend-key", "handle-hibernate-key", "handle-lid-switch", separated by colons, for inhibiting poweroff/reboot, suspend/hibernate, the automatic idle logic, or hardware key handling. "Who" should be a short human readable string identifying the application taking the lock. "Why" should be a short human readable string identifying the reason why the lock is taken. Finally, "Mode" is either "block" or "delay" which encodes whether the inhibit shall be consider mandatory or whether it should just delay the operation to a certain maximum time. The call returns a file descriptor. The lock is released the moment this file descriptor (and all its duplicates) are closed. For more information on the inhibition logic see Inhibitor Locks.
ListInhibitors() lists all currently active inhibitors. Returns an array of structures consisting of what, who, why, mode, user ID and process ID.
Signals
Whenever the inhibition state or idle hint changes daemon PropertyChanged signals are sent out to which clients can subscribe.
The SessionNew(), SessionRemoved(), UserNew(), UserRemoved(), SeatNew(), SeatRemoved() signals are sent each time a session is created or removed, a user logs in or out, or a seat is added or removed. They each contain the ID of the object plus the object path.
The PrepareForShutdown() resp. PrepareForSleep() signals are sent right before (with the argument True) and after (with the argument False) the system goes down for reboot/poweroff, resp. suspend/hibernate. This may be used by applications for saving data on disk, releasing memory or doing other jobs that shall be done shortly before shutdown/sleep, in conjunction with delay inhibitor locks. After completion of this work they should release their inhibition locks in order not to delay the operation any further. For more information see Inhibitor Locks.
Properties
Most properties simply reflect the configuration stored in logind.conf. For more information, see: logind.conf(5)
The IdleHint property reflects the idle hint state of the system. If the system is idle it might get into automatic suspend or shutdown, depending on configuration.
IdleSinceHint and IdleSinceHintMonotonic encode the timestamps of the last change of the idle hint boolean, in CLOCK_REALTIME resp. CLOCK_MONOTONIC timestamps in usec since the epoch.
The BlockInhibited and DelayInhibited properties encode the currently active locks of the respective modes. They are colon separated lists of "shutdown", "sleep", "idle" (see above).
The PreparingForShutdown and PreparingForSleep boolean properties are true between the two PrepareForShutdown resp. PrepareForSleep signals are sent. Note that these properties do not send out PropertyChanged signals.
Seat Objects
$ gdbus introspect --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1/seat/seat0
node /org/freedesktop/login1/seat/seat0 {
interface org.freedesktop.login1.Seat {
methods:
Terminate();
ActivateSession(in s id);
signals:
properties:
readonly s Id = 'seat0';
readonly so ActiveSession = ('2', '/org/freedesktop/login1/session/2');
readonly b CanMultiSession = true;
readonly b CanTTY = true;
readonly b CanGraphical = true;
readonly a(so) Sessions = [('2', '/org/freedesktop/login1/session/2')];
readonly b IdleHint = false;
readonly t IdleSinceHint = 1340873864854884;
readonly t IdleSinceHintMonotonic = 14409495315;
};
interface org.freedesktop.DBus.Properties {
};
interface org.freedesktop.DBus.Peer {
};
interface org.freedesktop.DBus.Introspectable {
};
};
Methods
Terminate() and ActivateSession() work similar to TerminateSeat(), ActivationSessionOnSeat() on the Manager object.
Signals
Whenever ActiveSession, Sessions, CanGraphical, CanMultiSession and CanTTY or the idle state changes PropertyChanged signals are sent out to which clients can subscribe.
Properties
The Id property encodes the ID of the seat.
ActiveSession encodes the currently active session if there is one. It is a structure consisting of session id and object path.
CanMultiSession encodes whether the session is multi-session capable, CanTTY whether it is suitable for text logins, CanGraphical whether it is suitable for graphical sessions.
The Sessions array is an array of all current sessions of this seat, each encoded in a structure consisting of the ID and the object path.
The IdleHint, IdleSinceHint, IdleSinceHint properties encode the idle state, similar to the one exposed on the Manager object, but specific for this seat.
User Objects
$ gdbus introspect --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1/user/500
node /org/freedesktop/login1/user/500 {
interface org.freedesktop.login1.User {
methods:
Terminate();
Kill(in s signal);
signals:
properties:
readonly u UID = 500;
readonly u GID = 500;
readonly s Name = 'lennart';
readonly t Timestamp = 1340822974613785;
readonly t TimestampMonotonic = 22320963;
readonly s RuntimePath = '/run/user/500';
readonly s DefaultControlGroup = 'name=systemd:/user/lennart';
readonly (so) Display = ('2', '/org/freedesktop/login1/session/2');
readonly s State = 'active';
readonly a(so) Sessions = [('2', '/org/freedesktop/login1/session/2')];
readonly b IdleHint = false;
readonly t IdleSinceHint = 1340873864854884;
readonly t IdleSinceHintMonotonic = 14409495315;
};
interface org.freedesktop.DBus.Properties {
};
interface org.freedesktop.DBus.Peer {
};
interface org.freedesktop.DBus.Introspectable {
};
};
Methods
Terminate() and Kill() work similar to the TerminateUser() resp. KillUser() calls on the manager object.
Signals
Whenever Sessions or the idle state changes PropertyChanged signals are sent out to which clients can subscribe.
Properties
The UID and GID properties encode the Unix UID and primary GID of the user.
The Name property encodes the user name.
Timestamp and TimestampMonotonic encode the login time of the user in usec since the epoch, in the CLOCK_REALTIME resp. CLOCK_MONOTONIC clocks.
RuntimePath encodes the runtime path of the user, i.e. $XDG_RUNTIME_DIR, for details see the XDG Basedir Specification.
DefaultControlGroup encodes the default control group of the user within the system hierarchy.
Display encodes which graphical session should be used as primary UI display for the use. It is a structure encoding session ID and object path of the session to use.
State encodes the user state, one of "offline", "lingering", "online", "active", "closing". See sd_uid_get_state(3) for more information about the states.
Sessions is an array of structures encoding all current sessions of the user. Each structure consists of ID and object path.
The IdleHint, IdleSinceHint, IdleSinceHintMonotonic properties encode the idle hint state of the user, similar to the Manager's properties, but specific for this user.
Session Objects
$ gdbus introspect --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1/session/2
node /org/freedesktop/login1/session/2 {
interface org.freedesktop.login1.Session {
methods:
Terminate();
Activate();
Lock();
Unlock();
SetIdleHint(in b b);
Kill(in s who,
in s signal);
signals:
Lock();
Unlock();
properties:
readonly s Id = '2';
readonly (uo) User = (500, '/org/freedesktop/login1/user/500');
readonly s Name = 'lennart';
readonly t Timestamp = 1340822974628160;
readonly t TimestampMonotonic = 22335339;
readonly s DefaultControlGroup = 'name=systemd:/user/lennart/2';
readonly u VTNr = 2;
readonly (so) Seat = ('seat0', '/org/freedesktop/login1/seat/seat0');
readonly s TTY = '';
readonly s Display = ':0';
readonly b Remote = false;
readonly s RemoteHost = '';
readonly s RemoteUser = '';
readonly s Service = 'gdm-password';
readonly u Leader = 905;
readonly u Audit = 2;
readonly s Type = 'x11';
readonly s Class = 'user';
readonly b Active = true;
readonly s State = 'active';
readonly as Controllers = [];
readonly as ResetControllers = [];
readonly b KillProcesses = false;
readonly b IdleHint = false;
readonly t IdleSinceHint = 1340873864854884;
readonly t IdleSinceHintMonotonic = 14409495315;
};
interface org.freedesktop.DBus.Properties {
};
interface org.freedesktop.DBus.Peer {
};
interface org.freedesktop.DBus.Introspectable {
};
};
Methods
Terminate(), Activate(), Lock(), Unlock(), Kill() work similar to the respective calls on the Manager object.
SetIdleHint() shall be called by the session object to update the idle state of the session, whenever it changes.
Signals
Whenever Active or the idle state changes PropertyChanged signals are sent out to which clients can subscribe.
Lock (resp. Unlock) is sent when the session is asked to be screen-locked/screen-unlocked. A session manager of the session should listen to this signal and act accordingly. This signal is sent out as a result of the Lock() resp. Unlock() methods.
Properties
Id encodes the session ID.
User encodes the user ID of the user this session belongs to. This is a structure encoding the Unix UID and the object path.
Name encodes the user name.
Timestamp and TimestampMonotonic encode the usec timestamp since the epoch when the session was created, in CLOCK_REALTIME resp. CLOCK_MONOTONIC.
DefaultControlGroup encodes the default control group of the session, in systemd's own cgroup hierarchy.
VTNr encodes the virtual terminal number of the session if there is any, 0 otherwise.
Seat encodes the seat this session belongs to, if there is any. This is a structure consisting of the ID and the seat object path.
TTY encodes the kernel TTY path of the session if this is a text login. If not this is an empty string.
Display encodes the X11 display name if this is a graphical login. If not this is an empty string.
Remote encodes whether the session is local or remote.
RemoteHost and RemoteUser encode the remote host and user if this is a remote session, or an empty string otherwise.
Service encodes the PAM service name that registered the session.
Leader encodes the PID of the process that registered the session.
Audit encodes the Kernel Audit session ID of the session, if auditing is available.
Type encodes the session type. It's one of "unspecified" (for cron PAM sessions and suchlike), "tty" (for text logins) or "x11" (for graphical logins).
Class encodes the session class. It's one of "user" (for normal user sessions), "greeter" (for display manager pseudo-sessions), "lock-screen" (for display lock screens).
Active is a boolean that is true if the session is active, i.e. currently in the foreground. This field is semi-redundant due to State.
State encodes the session state and one of "online", "active", "closing". See sd_session_get_state(3) for more information about the states.
Controllers and ResetControllers encode the cgroup controllers this session has been explicitly added to/remove from, using pam_systemd's command line.
KillProcesses encodes whether the processes of this session shall be killed if the session ends. It's also controllable on pam_systemd's command line.
IdleHint, IdleSinceHint, IdleSinceHintMonotonic encapsulate the idle hint state of this session, similar to how the respective properties on the manager object do it for the whole system.
These D-Bus interfaces follow the usual interface versioning guidelines.