[systemd-devel] logind, su - sessions and initscripts compatibility

Sun Dec 21 02:36:55 PST 2014

On Friday, December 19, 2014 at 07:58:11 PM, Andrei Borzenkov wrote:	
> В Fri, 19 Dec 2014 11:16:58 -0500
> worley at alum.mit.edu (Dale R. Worley) пишет:
> 
> > Simon McVittie <simon.mcvittie at collabora.co.uk> writes:
> > > On 18/12/14 14:10, Dale R. Worley wrote:
> > >> Simon McVittie <simon.mcvittie at collabora.co.uk> writes:
> > >>> On 18/12/14 08:05, Andrei Borzenkov wrote:
> > >>>> Any initscript that is using "su -" would [cause badness]
> > >>>
> > >>> Don't do that then? Init scripts are fairly clearly not login sessions.
> > >>> Which init scripts do that?
> > >> 
> > >> More to the point, why would an initscript do that, since it's *already*
> > >> running as root?
> > >
> > > su isn't just for becoming root; it can also cause transitions from root
> > > to a less privileged user ("su -c 'my-app-clear-cache' daemon" is one
> > > example of something that an init script might want to do).
> > 
> > Yeah, ack, that was my mistake.  I was confusing "su", "su [user]", and
> > "su - [user]".  But the question is about the "su - [user]" form, which
> > is basically intended to start a new login session (as far as I can see
> > from the man page), since it gives the user's shell a "-" in argv[0],
> > which is intended to instruct the shell to run the user's
> > initializations, etc.
> > 
> > Which means that the question I should have asked is "Why would an
> > initscript use 'su -', as that is intended to start a new login
> > session?"
> > 
> 
> There is not a single word about "login session" in su man page.
> It says it starts "login shell" - but "login session" is not created by
> shell so I do not see where you draw this conclusion from.

It's indirectly so.
"This version of su uses PAM for authentication, account and session management."

Maybe it's a problem of distro/integration? In current Arch, /etc/pam.d/su{,-l} say

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session         required        pam_unix.so

, and "su - <my user>" started in systemd's debug shell seems to survive the
transition to rescue.target. Which is just as expected, because in this
configuration su does not register its sessions in logind.

(Please correct me if my analysis is wrong.)

-- 
Ivan Shapovalov / intelfx /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20141221/df223b4e/attachment.sig>