[systemd-devel] Commands started after "su - username" do not obey "systemctl set-property user.slice MemoryLimit=..."
Lutz Vieweg
lvml at 5t9.de
Wed Nov 12 07:58:59 PST 2014
On 11/11/2014 01:11 AM, Lennart Poettering wrote:
>> Yet, when root uses "su - username" to change the user,
>> no "user-xxx.slice" is created, not even a new "session"
>> below "user-0.slice" is created, causing the wrong
>> MemoryLimit to be applied:
...
> Using "su" doesn't really open a new session, it really just changes
> the numeric UID, and very few other things. It does not create a new
> bus, doesn't pass access to the audio stack, does not create a new
> tty, no new XDG_RUNTIME_DIR or anything else. It's a mix and match you
> get between the old user and the new user, and part of that is that no
> new session is registered by logind, and hence no resources are
> applied.
"man su" told me:
> It is recommended to always use the --login option (instead it's shortcut -) to avoid side effects caused by mixing environments.
...
> -, -l, --login
> Starts the shell as login shell with an environment similar to a real login:
... and so I did use "-" in "su - username", assuming this would yield
a behaviour "similar to a real login".
If "su - username" cannot be used to impersonate a user, then what
other method could?
On CentOS 6 I was using a script invoked from /etc/pam.d/su-l to
assign the process ID to the cgroup assigned to the user, but it seems
awkward to do something like this while systemd is shuffling the
content of /sys/fs/cgroup, too.
Regards,
Lutz Vieweg
More information about the systemd-devel
mailing list