[systemd-devel] sudo -u app_user systemctl --user

David Schmitt david at dasz.at
Tue Mar 25 10:33:52 PDT 2014

On 25.03.2014 15:10, Mantas Mikulėnas wrote:
>  >> What behavior do you want?
>  >
>  >
>  > The requirement I initially asked about, is this: given the proper
> sudoers entry allow user alice to run
>  >
>  >   $ sudo -u bob systemctl --user reload nginx.service
>  >
>  > and have it work. My analysis ended at the point that even when using
> pam_systemd, sudo does not provide the proper XDG_SESSION* environment
> variables to the executed command.
> The only important variable here is XDG_RUNTIME_DIR, as systemctl looks
> there for the user instance's private socket. I think in later versions
> it *is* exported by pam_systemd – that your example has the username and
> not the UID in this variable shows that it's a quite old systemd version.
> The other two variables identify the login session – XDG_SESSION_ID is
> set by pam_systemd to the logind session ID (for scripts and
> informational purposes mostly), and XDG_SESSION_COOKIE comes from
> ConsoleKit (which actually depends on the variable).
> I am not sure why the latter two are set at all in your case – 'su'
> probably should not create a new login session, it should remain in the
> previous one. On the other hand, there were a few threads about just how
> much 'su' and 'sudo' are meant to change...It also depends on whether
> su/sudo are invoked *from* within an existing session (they should
> always be).

Thank you for your clarification. Iff the XDG_RUNTIME_DIR is the only 
required thing, I can probably force that to the correct value via an 
sudo env_file.

I'll test.

Regards, David

More information about the systemd-devel mailing list