Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: machinectl to provide starting new session on local machine #825

Closed
ignatenkobrain opened this issue Aug 1, 2015 · 8 comments
Closed

RFE: machinectl to provide starting new session on local machine #825

ignatenkobrain opened this issue Aug 1, 2015 · 8 comments
Labels
machine RFE 🎁 Request for Enhancement, i.e. a feature request

Comments

@ignatenkobrain
Copy link
Member

ssh root@ + echo $XDG_RUNTIME_DIR --> /run/user/0
ssh user@ + su - root + echo $XDG_RUNTIME_DIR --> nothing

# rpm -q kernel pam systemd
kernel-4.2.0-0.rc4.git2.1.fc24.armv7hl
pam-1.2.1-1.fc23.armv7hl
systemd-224-1.fc24.armv7hl

Something interesting from logs.

Aug 01 14:59:56 cubietruck.localdomain su[1980]: pam_systemd(su-l:session): Cannot create session: Already running in a session

Now I'm using kdbus.
@poettering
Copy link
Member

Well, there have been long discussions about this, but the problem is that what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (uid, gid, env, ...), and on the other it's supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.

Long story short: "su" is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one.

THis has come up many times, but nothing really changed, hence closing this now. I understand this is confusing and unexpected, but well, that's UNIX...

@ignatenkobrain
Copy link
Member Author

@poettering thanks for answer. how it supposed to be in the future? How I should do full login without creating new ssh session?

@poettering
Copy link
Member

Well, you can use su and sudo as before, but don#t expect that it will work in full, because it never did.

I am not aware of a commonly used tool besides ssh that would give you a completely fresh login locally without inheriting anything. I figure "machinectl login" could be updated to do that though...

@ignatenkobrain ignatenkobrain changed the title pam_systemd: doesn't set $XDG_RUNTIME_DIR when doing su - RFE: udpate "machinectl login" to provide starting new session on local machine Aug 5, 2015
@ignatenkobrain
Copy link
Member Author

@poettering so, can we reopen this bug with new title (feature request for machinectl)?

@poettering poettering added RFE 🎁 Request for Enhancement, i.e. a feature request machine and removed login labels Aug 5, 2015
@poettering poettering reopened this Aug 5, 2015
@poettering
Copy link
Member

Sure. Here we go.

BTW, thinking about that, we might even want to add a new "machinectl shell" or so, which is like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

@ignatenkobrain
Copy link
Member Author

machinectl shell
like "machinectl login" but gives you a shell right away, and sets PAMName=login so that we get a full login session...

sounds very good!

Let me know if I can help (probably with testing or so)!

@ignatenkobrain ignatenkobrain changed the title RFE: udpate "machinectl login" to provide starting new session on local machine RFE: machinectl to provide starting new session on local machine Aug 6, 2015
@richardmaw-codethink richardmaw-codethink mentioned this issue Aug 6, 2015
Closed
@poettering
Copy link
Member

This has been implemented by #1022 a few days ago.

@ignatenkobrain
Copy link
Member Author

Thank you! It works perfectly!

@wlhlm wlhlm mentioned this issue Sep 21, 2016
Merged
7 tasks
fpletz pushed a commit to NixOS/nixpkgs that referenced this issue Sep 23, 2016
@wlhlm @fpletz
nixos-container: Use machinectl shell (#18825)
c37e76b 
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395
acowley pushed a commit to acowley/nixpkgs that referenced this issue Sep 29, 2016
@wlhlm @acowley
nixos-container: Use machinectl shell (NixOS#18825)
aa7021e 
Using nsenter+su was suboptimal since the environment they provided was
not quite the same as the real container environment. See [1] for more
background.

Note that we directly invoke /bin/sh for `nixos-container root-login`
since setting the user's shell is quite complex. See [2] for a related
systemd issue.

[1]: systemd/systemd#825 (comment)
[2]: systemd/systemd#1395
@seirl seirl mentioned this issue May 7, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
machine RFE 🎁 Request for Enhancement, i.e. a feature request
Milestone
No milestone
Development

No branches or pull requests
2 participants
@poettering @ignatenkobrain