[systemd-devel] logind, su - sessions and initscripts compatibility

[Lennart Poettering]

On Thu, 18.12.14 11:05, Andrei Borzenkov (arvidjaar at gmail.com) wrote:

> As far as I know, systemd still officially retains compatibility with
> initscripts. Unfortunately, session management now at least partially
> broke it.
> 
> Any initscript that is using "su -" would create logind session; this
> session will persist until processes started by initscript are
> runing.

Any initscript that uses "su -" is broken I am very much
convinced. For two reasons. First of all, the dash means that you want
a login shell, i.e. one that "feels" like a "real" user login. That's
very inappropriate for daemons.

Secondly, su goes through the whole PAM stack. PAM is really for
setting up user sessions, it has no place when setting up the
environment for a daemon. If you want to set up the environment for a
daemon, use "start-stop-daemon", "runuser", or simply systemd's User=
setting. None of them goes through PAM.

If you go through PAM, then you not only get a new systemd session
opened for it, but also an audit session, selinux session, ... And you
clearly don't want that.

This is unfortunately little documented, but it's really how it is. 

Do not use "su" for init scripts. Never, ever. It's a user command,
not a command to use in codepaths outside of user sessions.

All this is wrong outside of the systemd context, and just a slightly
bit more inside the systemd context, but the correct fix is certainly
outside of the scope of systemd.

Sorry,

Lennart

-- 
Lennart Poettering, Red Hat