[systemd-devel] User services

[Mike Kazantsev]

On Mon, 23 Jan 2012 19:51:52 +0600
Mike Kazantsev <mk.fraggod at gmail.com> wrote:

> On Mon, 23 Jan 2012 09:16:52 +0100
> Christian Hesse <list at eworm.de> wrote:
> 
> > Hello everybody,
> > 
> > I think systemd caring about session is a great idea and I added
> > "kill-session-processes=1" to systemd's configuration in pam files.
> > However this brings some problems. (Two for me to be precisely.)
> > 
> > First one was tmux. Detaching a tmux session and logging off used to kill the
> > tmux session as well. I fixed this with a patch by Ben Boeckel, adding pam
> > support to tmux. The tmux server now starts a pam session, thus systemd does
> > no longer kill it. If anybody is interested:
> > http://www.eworm.de/download/linux/tmux-pam.patch
> > (Though the tmux maintains are not willing to include it as they think it's a
> > design flaw in systemd to kill processes if a session ends.)
> > 
> > Ok, now my "real" problem. How about services started for a user?
> > ssh-agent for example suffers the same problem. I used to start one instance
> > per user, sharing socket information via temporary file. systemd kills
> > ssh-agent if my first session is closed, leaving all others without
> > authentication daemon.
> > 
> > Anybody with a solution for that?
> > I thought about a ssh-agent at .service file that has a service section like
> > that:
> > 
> > [Service]
> > Type=forking
> > User=%i
> > ExecStart=/usr/bin/ssh-agent > /run/ssh-agent@%i
> > 
> > But I could not find a solution how to start a process for a user. Any
> > thoughts, solutions, whatelse?
> 
> No solutions from me, sorry, but I think I can outline one more problem
> - "mount" command and fuse filesystems.
> 

Actually, as I was sending this, I remembered how I solved that
particular problem once.

I used simple "cgrc" script to move current pid to "system" cgroup in
systemd hierarchy and then exec the rest of the argv.

This can only work as root (and I used it as root), since arbitrary pids
shouldn't be able to switch cgroups like that, but it should be
possible to make the same script check if it's running exactly in a
user session cgroup (not service) and then add some kind of suid to it,
so it'd be give that exact privilege only to user session pids.


> If you do "mount /somewhere/something" as user (think remount from an
> ssh session on a server), fuse-created process (sshfs, unionfs, ...)
> will be spawned in user's session regardless of whether .mount unit
> exists for that particular mountpoint.
> When user exits, process will be killed, and any operation on the
> mountpoint will produce something like ESHUTDOWN, without really
> unmounting anything either.
> 
> 


-- 
Mike Kazantsev // fraggod.net