[systemd-devel] [PATCH] unit: Set KillMode=mixed for services which use sulogin

Lennart Poettering lennart at poettering.net
Wed May 13 06:45:13 PDT 2015

On Wed, 13.05.15 15:32, Michael Biebl (mbiebl at gmail.com) wrote:

> 2015-05-13 15:19 GMT+02:00 Lennart Poettering <lennart at poettering.net>:
> > sulogin generally does not set up a PAM session, and we indeed should
> > allow processes like screen staying around in such a context. Hence
> > KillMode=process is actually the right choice for all these services,
> > indeed.
> Do you really think it makes sense to start screen from
> emergency/rescue mode?

No I don't. But I think we shouldn't try to enforce any policy on
process lifetime in debug/emergency/rescue mode... They are supposed
to be low-level recovery features, that give you raw, naked, rough
access to the system guts, really. And hence we probably shouldn't
kill what they leave around...

I mean, if admins do something like this:

 ( while : ; do ps xawuf >> /tmp/ps-log ; sleep 10 ; done ) & disown

in the debug shell, to debug something, then we should not break that
at logout, really. 

> Imho those are the cases where you don't actually want stuff to stay
> around after you log out.
> > Hence I figure the status quo for all of this is pretty OK already...
> Well, I was intending to commit my original patch, which only uses
> KillMode=mixed for services which use sulogin, i.e.
> emergency.service, rescue.service and console-shell.service.
> See the original bug that triggered this patch [1]. We don't really
> want a stray bash process to stay around which potentially fights with
> sulogin over the input.

Well, I am pretty sure that in this case, it should be sulogin that
propagates the shutdown request to the shell it spawned, but we should
not do it otherwise.

Note that by default we don't even clean up processes of unprivileged
users on logout. You have to turn this on via KillUserProcesses=
explicitly. And if we don't do this for unprivileged users, we
certainly shouldn't do it for debug shells either....

> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784238

That bug reports is long... From what I got this really looks like
something to fix in Debian's sulogin implementation really.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list