First let me explain what my current (non systemd) setup does:
On login, a script is run from rc.local that does the following:
* create /tmp/<grp>/<usr> for each user in a particular group
* symlink /tmp/<grp>/<usr>/.bash* to /home/<grp>/<usr>/.bash*
/tmp/<grp>/<usr> is the home directory of each user in that group. When a user logs in, .bash_profile is sourced and a script populates /tmp/<grp>/<usr> with symlinks to selected files in /home/<grp>/<usr>.* The purpose of this system to give the user control over dot file spam and what is written to the disk (/tmp is tmpfs and swap is encrypted).
In addition to that, a subgroup of that group has encrypted home directories that are mounted with pam_mount on login. These are mounted on /home/<grp>/<usr>/ and symlinked as above.
In both cases, the "effective" home directory of the user is /tmp/<grp>/<usr> while the "real" home directory is /home/<grp>/<usr>.
What I would like to do is give each user his own nested tmpfs home directory inside /home, e.g. /home/<grp>/<usr>/tmp. That should be easy enough to do with pam_mount but as there is no encryption involved, I wonder if I can do it with systemd. If so, please point me in the right direction. I expect a systemd solution to be less susceptible to breakage than fully relying on pam_mount.
The next step is ensuring that the the necessary symlinks exist when the user logs in. My initial approach used a custom file in /etc/profile.d that would be sourced before attempting to source the user's profile, but that only works when invoking login shells (e.g. su -l), but not otherwise (e.g. su).. The same problem arises when using a custom script as a login shell.
Nevertheless, I wonder if it is possible to use some systemd hook to symlink the .bash_profile after mount but before the user's shell is invoked? I think it's possible to create "oneshot" .service units that are launched after a .mount/.automount unit, but I doubt that would work before the user's shell is running.
So what would be the best way to ensure that the tmpfs directory exists when the user logs in, and that the user's shell can source the target profile file? Ideally I would like to have the directory cleared when the last user session ends, but that is not critical.
To complicate it a little bit more, what would be the best approach for doing the same with the encrypted mounts:
* encrypted directory mounted on /home/<grp>/<usr>/ by pam_mount on login
* tmpfs directory mounted on /home/<grp>/<usr>/tmp by systemd on login?
* .bash_profile symlinked before user's shell is running
* tmpfs unmounted on logout
* encrypted directory unmounted and closed on logout
Of course, if systemd could do all of this then I wouldn't mind dropping pam_mount, even if I had to input two passwords on the initial mount (I would like to use a different password anyway).
Any input would be appreciated. I want to have a solid plan before I implement this and I'm sure that some of you will have much better ideas than mine.
Last edited by Xyne (2012-10-29 01:02:02)
Sorry that I dropped the ball on this, I promised to check it out, but forgot :-S
I don't think I (nor systemd) will be able to be very helpful at the moment. At the moment systemd is only used as the system manager, and not yet as the session manager, so these sorts of things can easily be done with systemd at the system level (i.e., not inside /home, and not depending on a user or a session), but to use the same logic for your session, you really want to be using "systemd --user" as your session manager, and that's not yet ready afaik.
I'd stay with pam for the time being, but revisit the problem once your DE is using systemd --user.
If anyone stumbles across this, my solution in the end was to created tmpfs home directories per user with pam_mount and use a custom file in /etc/profile.d to handle the initial symlinks. It doesn't handle "su" as I would like, but "su -l" and normal logins work well.