systemctl hibernate asks for auth when swapfile in /home

[baldrianbandit]

systemd version the issue has been seen with

255

Used distribution

arch

Linux kernel version used

6.7.1-arch1-1

CPU architectures issue was seen on

x86_64

Component

systemctl

Expected behaviour you didn't see

systemctl hibernate as regular user acting w/o further authentication

Unexpected behaviour you saw

systemctl hibernate asks for authentication while e.g. systemctl suspend and systemctl reboot does not

Steps to reproduce the problem

• Have a lvm volume different than root, e.g. /home
• Create a swapfile there, e.g. /home/swapfile and swapon it
• Have an active swapfile on / or not, doesn't make a difference
• Run systemctl hibernate and get asked for authentication
• Swapoff /home/swapfile and swapon /swapfile
• Run systemctl hibernate w/o being asked for authentication

Additional program output to the terminal or log subsystem illustrating the issue

## unexpected behaviour when
swapon
NAME           TYPE SIZE USED PRIO
/home/swapfile file  16G   0B   -2
systemctl hibernate
Call to Hibernate failed: No such file or directory
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to start 'hibernate.target'.
Authenticating as: anarki
Password:

## expected behaviour when
swapon
NAME           TYPE SIZE USED PRIO
/swapfile      file  16G   0B   -2
systemctl hibernate
## machine hibernates

## partition scheme
lsblk
NAME                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1                  259:0    0 238.5G  0 disk
├─nvme0n1p1              259:1    0   500M  0 part  /boot
└─nvme0n1p2              259:2    0   238G  0 part
  └─butterblumevg        254:0    0   238G  0 crypt
    ├─butterblumevg-root 254:1    0    25G  0 lvm   /
    └─butterblumevg-home 254:2    0   213G  0 lvm   /home

[baldrianbandit]

Although systemctl comments the first case with Call to Hibernate failed: No such file or directory like in #30083 the machine still does hibernate and resume correctly.

[YHNdnzj]

systemd-logind.service has ProtectHome=yes, meaning that it cannot access/find swapfiles under /home/, and systemctl falls back to starting hibernate.target directly.

IOW, swapfile under /home/ is not supported, and it really isn't a good fit either. If you really want to stick to it, please edit systemd-logind.service to disable ProtectHome=. But there's nothing actionable for us upstream.

[YHNdnzj]

And this has nothing to do with LVM. It shall only happen when your swapfile is under /home/, LVM or not.

[baldrianbandit]

systemd-logind.service has ProtectHome=yes, meaning that it cannot access/find swapfiles under /home/, and systemctl falls back to starting hibernate.target directly.

IOW, swapfile under /home/ is not supported, and it really isn't a good fit either. If you really want to stick to it, please edit systemd-logind.service to disable ProtectHome=. But there's nothing actionable for us upstream.

• systemctl edit systemd-logind.service
• insert ProtectHome=no
• restart systemd-logind.service
• systemctl hibernate asks for authentication

[YHNdnzj]

Please provide the output of systemctl cat systemd-logind.service.

[baldrianbandit]

# /usr/lib/systemd/system/systemd-logind.service
#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=User Login Management
Documentation=man:sd-login(3)
Documentation=man:systemd-logind.service(8)
Documentation=man:logind.conf(5)
Documentation=man:org.freedesktop.login1(5)

Wants=user.slice modprobe@drm.service
After=nss-user-lookup.target user.slice modprobe@drm.service

# Ask for the dbus socket.
Wants=dbus.socket
After=dbus.socket

[Service]
BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
DeviceAllow=block-* r
DeviceAllow=char-/dev/console rw
DeviceAllow=char-drm rw
DeviceAllow=char-input rw
DeviceAllow=char-tty rw
DeviceAllow=char-vcs rw
ExecStart=/usr/lib/systemd/systemd-logind
FileDescriptorStoreMax=512
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateTmp=yes
# We don't use ProtectProc= since we need to look for usernames and tty for wall messages
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict
ReadWritePaths=/etc /run
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
RuntimeDirectoryPreserve=yes
StateDirectory=systemd/linger
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify-reload
WatchdogSec=3min

# Increase the default a bit in order to allow many simultaneous logins since
# we keep one fd open per session.
LimitNOFILE=524288

# /etc/systemd/system/systemd-logind.service.d/override.conf
ProtectHome=no

[YHNdnzj]

The drop-in file still needs a section header, i.e. /etc/systemd/system/systemd-logind.service.d/override.conf should be:

[Service]
ProtectHome=no

[baldrianbandit]

The drop-in file still needs a section header, i.e. /etc/systemd/system/systemd-logind.service.d/override.conf should be:

[Service]
ProtectHome=no

Now the setting indeed makes a difference: systemctl hibernate not asking for authentication anymore. Thank you. Closing.