[systemd-devel] The whole su/pkexec session debate
David Herrmann
dh.herrmann at gmail.com
Sun Dec 1 07:57:44 PST 2013
Hi
>>> But in the case of screen I'm specifically asking for a new, stand alone
>>> session.
>>
>> I'd agree; but the fix would be fairly invasive for screen. I think
>> it'd have to become setuid root, so it could request a new session.
>
> Yeah that was my fear too.
>
> Although perhaps this is just something that can be done via policy -
> e.g. perhaps screen can just ask logind to create a new session for us
> and then running some specific shell therein (i.e. a
> screen@$newsid.service) then immediately attaching to it.
>
> Perhaps this just needs something to control whether or not it's allowed
> to ask logind for a shell. This can perhaps be something controlled by
> system policy - e.g. you may be allowed but have to enter your password
> again, or you may just be allowed without further auth.
>
> I think eventually the semantics could be quite nice and could
> potentially avoid the need for setuid but I don't really know the extent
> of the needed infra here.
Screen can be fixed to call:
pam_start(&pamh)
pam_open_session(pamh)
and during shutdown:
pam_close_session(pamh)
pam_end(pamh)
This way, screen will keep an "active" reference to the session and
systemd-logind will not mark it as "closing". So the session that was
initiated by sshd will be kept open by "screen". Note that
pam_open_session() without pam_authenticate() will *not* create a new
session but only attach to the current session.
I know, people often complain that they cannot spawn new sessions from
within an existing session, but I haven't seen any compelling argument
why it's needed. Are there other use-cases I'm not aware of?
Thanks
David
More information about the systemd-devel
mailing list