[systemd-devel] Fix PAM module to not clobber XDG_RUNTIME_DIR with su

Lennart Poettering lennart at poettering.net
Wed Nov 20 15:16:34 PST 2013


On Thu, 14.11.13 07:45, Martin Pitt (martin.pitt at ubuntu.com) wrote:

> Hello all,
> 
> pam_systemd currently causes some havoc when you run programs or
> shells with su: it passes on the $XDG_RUNTIME_DIR from the original
> user session, so that programs like pulseaudio or dconf end up
> scribbling into the original user's runtime dir. This has been
> discussed at length at [1][2] and is leading people to consider
> workarounds like [3].
> 
> It seems Lennart is against giving the new user a new logind session
> and runtime dir; I think it would be right to give it a fresh (or an
> already existing one for the target user) runtime dir, but in either
> case passing it the original user's runtime dir is actively wrong and
> harmful.

Well, that's quite arbitrary. What about dbus, X11, and so on, do you
plan to turn that off for the new session too?

If you leave access to X11 from the original session around, why isn't
PA also left around?

su is a hack, it is not clear what credentials it changes and which ones
it doesn't. It's entirely random what people think su should do, and
it's a security nightmare, as nobody knows the environment programs run
in anymore, there's no chance to get this done correctly.

Quit frankly, I am pretty sure the best approach is to simply prohibit
running graphical applications from su sessions, it's never going to
work. Letting other user access some (but not all) of a private user's
bits and pieces is never going to work if those bits and pieces are
nowadays a mix of dconf, X11, PA, dbus, security creds, keyrings, yadda
yada...

> Until then I recommend applying this patch (or something equivalent)
> which at least stops destroying existing runtime dirs and makes it
> compliant to the spec [4]. With that, things like pulse, dconf, or
> dbus will still need to keep their internal fallback if there is no
> runtime dir, but that's a less pressing matter.

So, what's the intention here? That XDG_RUNTIME_DIR is entirely unset
after "su"? That sounds kinda acceptable to me.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list