[systemd-devel] sudo -u app_user systemctl --user
David Schmitt
david at dasz.at
Tue Mar 25 10:33:52 PDT 2014
On 25.03.2014 15:10, Mantas Mikulėnas wrote:
> >> What behavior do you want?
> >
> >
> > The requirement I initially asked about, is this: given the proper
> sudoers entry allow user alice to run
> >
> > $ sudo -u bob systemctl --user reload nginx.service
> >
> > and have it work. My analysis ended at the point that even when using
> pam_systemd, sudo does not provide the proper XDG_SESSION* environment
> variables to the executed command.
>
> The only important variable here is XDG_RUNTIME_DIR, as systemctl looks
> there for the user instance's private socket. I think in later versions
> it *is* exported by pam_systemd – that your example has the username and
> not the UID in this variable shows that it's a quite old systemd version.
>
> The other two variables identify the login session – XDG_SESSION_ID is
> set by pam_systemd to the logind session ID (for scripts and
> informational purposes mostly), and XDG_SESSION_COOKIE comes from
> ConsoleKit (which actually depends on the variable).
>
> I am not sure why the latter two are set at all in your case – 'su'
> probably should not create a new login session, it should remain in the
> previous one. On the other hand, there were a few threads about just how
> much 'su' and 'sudo' are meant to change...It also depends on whether
> su/sudo are invoked *from* within an existing session (they should
> always be).
Thank you for your clarification. Iff the XDG_RUNTIME_DIR is the only
required thing, I can probably force that to the correct value via an
sudo env_file.
I'll test.
Regards, David
More information about the systemd-devel
mailing list