RFE: machinectl to provide starting new session on local machine #825

ignatenkobrain · Aug 1, 2015

ssh root@ + echo $XDG_RUNTIME_DIR --> /run/user/0
ssh user@ + su - root + echo $XDG_RUNTIME_DIR --> nothing

# rpm -q kernel pam systemd
kernel-4.2.0-0.rc4.git2.1.fc24.armv7hl
pam-1.2.1-1.fc23.armv7hl
systemd-224-1.fc24.armv7hl

Something interesting from logs.

Aug 01 14:59:56 cubietruck.localdomain su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session

Now I'm using kdbus.

poettering · Aug 5, 2015

Well, there have been long discussions about this, but the problem is that what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.

Long story short: "su" is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one.

THis has come up many times, but nothing really changed, hence closing this now. I understand this is confusing and unexpected, but well, that's UNIX...

ignatenkobrain · Aug 5, 2015

@poettering thanks for answer. how it supposed to be in the future? How I should do full login without creating new ssh session?

poettering · Aug 5, 2015

Well, you can use su and sudo as before, but don#t expect that it will work in full, because it never did.

I am not aware of a commonly used tool besides ssh that would give you a completely fresh login locally without inheriting anything. I figure "machinectl login" could be updated to do that though...

ignatenkobrain · Aug 5, 2015

@poettering so, can we reopen this bug with new title (feature request for machinectl)?

poettering · Aug 5, 2015

Sure. Here we go.

BTW, thinking about that, we might even want to add a new "machinectl shell" or so, which is like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

ignatenkobrain · Aug 5, 2015

machinectl shell
like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

sounds very good!

Let me know if I can help (probably with testing or so)!

poettering · Aug 27, 2015

This has been implemented by #1022 a few days ago.

ignatenkobrain · Aug 29, 2015

Thank you! It works perfectly!

poettering closed this Aug 5, 2015

poettering added the login label Aug 5, 2015

ignatenkobrain changed the title from pam_systemd: doesn't set $XDG_RUNTIME_DIR when doing `su -` to RFE: udpate "machinectl login" to provide starting new session on local machine Aug 5, 2015

poettering added RFE machine and removed login labels Aug 5, 2015

poettering reopened this Aug 5, 2015

ignatenkobrain changed the title from RFE: udpate "machinectl login" to provide starting new session on local machine to RFE: machinectl to provide starting new session on local machine Aug 6, 2015

richardmaw-codethink referenced this issue Aug 6, 2015
Closed
Container root "Login incorrect" when run from '/usr/lib/systemd/system/systemd-nspawn@.service' #852

poettering closed this Aug 27, 2015

systemd/systemd

RFE: machinectl to provide starting new session on local machine #825

Labels

Milestone

Assignees

2 participants

Container root "Login incorrect" when run from '/usr/lib/systemd/system/systemd-nspawn@.service' #852