72 lines
1.9 KiB
INI
72 lines
1.9 KiB
INI
[Unit]
|
|
Description=Accounts Service
|
|
|
|
# In order to avoid races with identity-providing services like SSSD or
|
|
# winbind, we need to ensure that Accounts Service starts after
|
|
# nss-user-lookup.target
|
|
After=nss-user-lookup.target
|
|
Wants=nss-user-lookup.target
|
|
|
|
[Service]
|
|
Type=dbus
|
|
BusName=org.freedesktop.Accounts
|
|
ExecStart=/usr/libexec/accounts-daemon
|
|
Environment=GVFS_DISABLE_FUSE=1
|
|
Environment=GIO_USE_VFS=local
|
|
Environment=GVFS_REMOTE_VOLUME_MONITOR_IGNORE=1
|
|
|
|
StateDirectory=AccountsService
|
|
StateDirectoryMode=0775
|
|
|
|
ProtectSystem=strict
|
|
PrivateDevices=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
# Write access is needed to create home directories:
|
|
ProtectHome=false
|
|
# Needed sometime for data shared like icons
|
|
PrivateTmp=false
|
|
PrivateNetwork=true
|
|
# We need access to the canonical user database:
|
|
PrivateUsers=false
|
|
# For D-Bus:
|
|
RestrictAddressFamilies=AF_UNIX
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=~@mount
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
RestrictRealtime=true
|
|
RemoveIPC=true
|
|
|
|
# In addition to the below paths,
|
|
# - /var/lib/AccountsService/users/ and
|
|
# - /var/lib/AccountsService/icons/
|
|
# are read/written by the daemon. See StateDirectory= above.
|
|
#
|
|
# The paths in /etc are not directly modified by AccountsService, but by
|
|
# usermod, which it spawns.
|
|
#
|
|
# The paths in /var/log and /var/mail are touched by useradd/userdel when adding
|
|
# or deleting users.
|
|
ReadWritePaths=\
|
|
-/etc/gdm3/custom.conf \
|
|
/etc/ \
|
|
-/proc/self/loginuid \
|
|
-/var/log/lastlog \
|
|
-/var/log/tallylog \
|
|
-/var/mail/
|
|
ReadOnlyPaths=\
|
|
/usr/share/accountsservice/interfaces/ \
|
|
/usr/share/dbus-1/interfaces/ \
|
|
/var/log/wtmp \
|
|
/run/systemd/seats/
|
|
|
|
[Install]
|
|
# We pull this in by graphical.target instead of waiting for the bus
|
|
# activation, to speed things up a little: gdm uses this anyway so it is nice
|
|
# if it is already around when gdm wants to use it and doesn't have to wait for
|
|
# it.
|
|
WantedBy=graphical.target
|