RFE: machinectl to provide starting new session on local machine #825

Closed
ignatenkobrain opened this Issue Aug 1, 2015 · 8 comments

Comments

2 participants
@ignatenkobrain
Member

ignatenkobrain commented Aug 1, 2015

ssh root@ + echo $XDG_RUNTIME_DIR --> /run/user/0
ssh user@ + su - root + echo $XDG_RUNTIME_DIR --> nothing

# rpm -q kernel pam systemd
kernel-4.2.0-0.rc4.git2.1.fc24.armv7hl
pam-1.2.1-1.fc23.armv7hl
systemd-224-1.fc24.armv7hl

Something interesting from logs.

Aug 01 14:59:56 cubietruck.localdomain su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session

Now I'm using kdbus.

@poettering

This comment has been minimized.

Show comment
Hide comment
@poettering

poettering Aug 5, 2015

Member

Well, there have been long discussions about this, but the problem is that what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.

Long story short: "su" is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one.

THis has come up many times, but nothing really changed, hence closing this now. I understand this is confusing and unexpected, but well, that's UNIX...

Member

poettering commented Aug 5, 2015

Well, there have been long discussions about this, but the problem is that what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.

Long story short: "su" is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one.

THis has come up many times, but nothing really changed, hence closing this now. I understand this is confusing and unexpected, but well, that's UNIX...

@poettering poettering closed this Aug 5, 2015

@poettering poettering added the login label Aug 5, 2015

@ignatenkobrain

This comment has been minimized.

Show comment
Hide comment
@ignatenkobrain

ignatenkobrain Aug 5, 2015

Member

@poettering thanks for answer. how it supposed to be in the future? How I should do full login without creating new ssh session?

Member

ignatenkobrain commented Aug 5, 2015

@poettering thanks for answer. how it supposed to be in the future? How I should do full login without creating new ssh session?

@poettering

This comment has been minimized.

Show comment
Hide comment
@poettering

poettering Aug 5, 2015

Member

Well, you can use su and sudo as before, but don#t expect that it will work in full, because it never did.

I am not aware of a commonly used tool besides ssh that would give you a completely fresh login locally without inheriting anything. I figure "machinectl login" could be updated to do that though...

Member

poettering commented Aug 5, 2015

Well, you can use su and sudo as before, but don#t expect that it will work in full, because it never did.

I am not aware of a commonly used tool besides ssh that would give you a completely fresh login locally without inheriting anything. I figure "machinectl login" could be updated to do that though...

@ignatenkobrain ignatenkobrain changed the title from pam_systemd: doesn't set $XDG_RUNTIME_DIR when doing `su -` to RFE: udpate "machinectl login" to provide starting new session on local machine Aug 5, 2015

@ignatenkobrain

This comment has been minimized.

Show comment
Hide comment
@ignatenkobrain

ignatenkobrain Aug 5, 2015

Member

@poettering so, can we reopen this bug with new title (feature request for machinectl)?

Member

ignatenkobrain commented Aug 5, 2015

@poettering so, can we reopen this bug with new title (feature request for machinectl)?

@poettering poettering added RFE 🎁 machine and removed login labels Aug 5, 2015

@poettering poettering reopened this Aug 5, 2015

@poettering

This comment has been minimized.

Show comment
Hide comment
@poettering

poettering Aug 5, 2015

Member

Sure. Here we go.

BTW, thinking about that, we might even want to add a new "machinectl shell" or so, which is like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

Member

poettering commented Aug 5, 2015

Sure. Here we go.

BTW, thinking about that, we might even want to add a new "machinectl shell" or so, which is like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

@ignatenkobrain

This comment has been minimized.

Show comment
Hide comment
@ignatenkobrain

ignatenkobrain Aug 5, 2015

Member

machinectl shell
like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

sounds very good!

Let me know if I can help (probably with testing or so)!

Member

ignatenkobrain commented Aug 5, 2015

machinectl shell
like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

sounds very good!

Let me know if I can help (probably with testing or so)!

@ignatenkobrain ignatenkobrain changed the title from RFE: udpate "machinectl login" to provide starting new session on local machine to RFE: machinectl to provide starting new session on local machine Aug 6, 2015

@poettering

This comment has been minimized.

Show comment
Hide comment
@poettering

poettering Aug 27, 2015

Member

This has been implemented by #1022 a few days ago.

Member

poettering commented Aug 27, 2015

This has been implemented by #1022 a few days ago.

@poettering poettering closed this Aug 27, 2015

@ignatenkobrain

This comment has been minimized.

Show comment
Hide comment
@ignatenkobrain

ignatenkobrain Aug 29, 2015

Member

Thank you! It works perfectly!

Member

ignatenkobrain commented Aug 29, 2015

Thank you! It works perfectly!

wlhlm added a commit to wlhlm/nixpkgs that referenced this issue Sep 21, 2016

nixos-container: Use machinectl shell
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395

wlhlm added a commit to wlhlm/nixpkgs that referenced this issue Sep 22, 2016

nixos-container: Use machinectl shell
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395

fpletz added a commit to NixOS/nixpkgs that referenced this issue Sep 23, 2016

nixos-container: Use machinectl shell (#18825)
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395

srhb added a commit to srhb/nixpkgs that referenced this issue Sep 28, 2016

nixos-container: Use machinectl shell (#18825)
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395

acowley added a commit to acowley/nixpkgs that referenced this issue Sep 29, 2016

nixos-container: Use machinectl shell (#18825)
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395

@seirl seirl referenced this issue in ansible/ansible May 7, 2018

Merged

Add a 'machinectl shell' become_method #39826

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment