Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: machinectl to provide starting new session on local machine #825

Closed
ignatenkobrain opened this issue Aug 1, 2015 · 8 comments
Closed

RFE: machinectl to provide starting new session on local machine #825

ignatenkobrain opened this issue Aug 1, 2015 · 8 comments
Labels

Comments

@ignatenkobrain
Copy link
Member

@ignatenkobrain ignatenkobrain commented Aug 1, 2015

ssh root@ + echo $XDG_RUNTIME_DIR --> /run/user/0
ssh user@ + su - root + echo $XDG_RUNTIME_DIR --> nothing

# rpm -q kernel pam systemd
kernel-4.2.0-0.rc4.git2.1.fc24.armv7hl
pam-1.2.1-1.fc23.armv7hl
systemd-224-1.fc24.armv7hl

Something interesting from logs.

Aug 01 14:59:56 cubietruck.localdomain su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session

Now I'm using kdbus.

@poettering
Copy link
Member

@poettering poettering commented Aug 5, 2015

Well, there have been long discussions about this, but the problem is that what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.

Long story short: "su" is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one.

THis has come up many times, but nothing really changed, hence closing this now. I understand this is confusing and unexpected, but well, that's UNIX...

@poettering poettering closed this Aug 5, 2015
@poettering poettering added the login label Aug 5, 2015
@ignatenkobrain
Copy link
Member Author

@ignatenkobrain ignatenkobrain commented Aug 5, 2015

@poettering thanks for answer. how it supposed to be in the future? How I should do full login without creating new ssh session?

@poettering
Copy link
Member

@poettering poettering commented Aug 5, 2015

Well, you can use su and sudo as before, but don#t expect that it will work in full, because it never did.

I am not aware of a commonly used tool besides ssh that would give you a completely fresh login locally without inheriting anything. I figure "machinectl login" could be updated to do that though...

@ignatenkobrain ignatenkobrain changed the title pam_systemd: doesn't set $XDG_RUNTIME_DIR when doing `su -` RFE: udpate "machinectl login" to provide starting new session on local machine Aug 5, 2015
@ignatenkobrain
Copy link
Member Author

@ignatenkobrain ignatenkobrain commented Aug 5, 2015

@poettering so, can we reopen this bug with new title (feature request for machinectl)?

@poettering poettering added RFE 🎁 machine and removed login labels Aug 5, 2015
@poettering poettering reopened this Aug 5, 2015
@poettering
Copy link
Member

@poettering poettering commented Aug 5, 2015

Sure. Here we go.

BTW, thinking about that, we might even want to add a new "machinectl shell" or so, which is like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

@ignatenkobrain
Copy link
Member Author

@ignatenkobrain ignatenkobrain commented Aug 5, 2015

machinectl shell
like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

sounds very good!

Let me know if I can help (probably with testing or so)!

@ignatenkobrain ignatenkobrain changed the title RFE: udpate "machinectl login" to provide starting new session on local machine RFE: machinectl to provide starting new session on local machine Aug 6, 2015
@poettering
Copy link
Member

@poettering poettering commented Aug 27, 2015

This has been implemented by #1022 a few days ago.

@poettering poettering closed this Aug 27, 2015
@ignatenkobrain
Copy link
Member Author

@ignatenkobrain ignatenkobrain commented Aug 29, 2015

Thank you! It works perfectly!

fpletz added a commit to NixOS/nixpkgs that referenced this issue Sep 23, 2016
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395
acowley added a commit to acowley/nixpkgs that referenced this issue Sep 29, 2016
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.