[systemd-devel] logind, su - sessions and initscripts compatibility

Andrei Borzenkov arvidjaar at gmail.com
Fri Dec 19 08:58:11 PST 2014 

В Fri, 19 Dec 2014 11:16:58 -0500
worley at alum.mit.edu (Dale R. Worley) пишет:

> Simon McVittie <simon.mcvittie at collabora.co.uk> writes:
> > On 18/12/14 14:10, Dale R. Worley wrote:
> >> Simon McVittie <simon.mcvittie at collabora.co.uk> writes:
> >>> On 18/12/14 08:05, Andrei Borzenkov wrote:
> >>>> Any initscript that is using "su -" would [cause badness]
> >>>
> >>> Don't do that then? Init scripts are fairly clearly not login sessions.
> >>> Which init scripts do that?
> >> 
> >> More to the point, why would an initscript do that, since it's *already*
> >> running as root?
> >
> > su isn't just for becoming root; it can also cause transitions from root
> > to a less privileged user ("su -c 'my-app-clear-cache' daemon" is one
> > example of something that an init script might want to do).
> 
> Yeah, ack, that was my mistake.  I was confusing "su", "su [user]", and
> "su - [user]".  But the question is about the "su - [user]" form, which
> is basically intended to start a new login session (as far as I can see
> from the man page), since it gives the user's shell a "-" in argv[0],
> which is intended to instruct the shell to run the user's
> initializations, etc.
> 
> Which means that the question I should have asked is "Why would an
> initscript use 'su -', as that is intended to start a new login
> session?"
> 

There is not a single word about "login session" in su man page.
It says it starts "login shell" - but "login session" is not created by
shell so I do not see where you draw this conclusion from.

The primary reason to use "su -" in this cases is a) get a clean
environment and b) make started shell read usual startup files to
ensure some known state for running programs. Actually the only
difference between "login" and "non login" shells is which startup
files are processed.

> Frederic Crozat <fcrozat at suse.com> writes:
> > Unfortunately, we don't always have a choice, when initscripts are not
> > shipped as part of packages in the distribution but shipped by an ISV or
> > a random external software :(
> 
> And it seems that the answer is, "They do that, even if we think they
> shouldn't."
>

Please give a link to systemd documentation where it says "you should
not do it".

More information about the systemd-devel mailing list