[systemd-devel] launching an interactive user session

Lennart Poettering lennart at poettering.net
Mon May 23 10:07:46 UTC 2016 

On Fri, 20.05.16 20:10, Mike Gulick (Mike.Gulick at mathworks.com) wrote:

> Hi systemd-devel,
> 
> I'm on Debian Jessie running the default systemd-215.  I have a
> daemon (running as root, controlled by systemd), whose job it is to
> launch on-demand VNC servers for other users.  Currently, this
> daemon uses a shell command like the following to launch the vnc
> server for a given $USER:
> 
>   sudo -i -u $USER /bin/sh -l -c 'cd \$HOME && /path/to/vncserver $ARGS
> 
> The issue I'm having is that the user VNC sessions being created all
> share the same systemd login session as my daemon.  I can see this
> by running systemd-cgls.

My recommendation would be to define this as template service in
systemd, and use PAM= to make sure the invoked binary gets a PAM
session (and thus a logind session) assigned.

> The users of these VNC sessions would like to be able to use
> "systemd-run --user --scope -p MemoryLimit=X COMMAND" to launch a
> command with cgroup-based resource limiting.  However without a user
> session, this results in "Failed to create bus connection:
> Connection refused".

Note that MemoryLimit= is not supported for user services, as cgroup
controller delegation is generally not safe in the traditional cgroup
hierarchy.

> There's too many users to create static systemd unit files, and it
> doesn't seem like I can create and load .service files on the
> fly.  The "machinectl shell" command
> (https://github.com/systemd/systemd/pull/1022) looks promising, but
> unfortunately it's not in my systemd yet.  I've tried searching
> through this mailing list's history, but the results all were dead
> ends.

215 is pretty old. Transient units are really useful only on much
newer systemd versions. Sorry.

> It seems like there's a lot of pieces needed to make this work
> (dbus, XDG env vars, systemd --user), and all of the recommendations
> say to go through pam_systemd.so.  I'm not afraid of interacting
> with PAM, but I don't really understand what's needed, and I can't
> actually authenticate as the user because I don't know their
> password (currently this daemon is root so it doesn't need a
> password to switch user).

PAM is how user sessions are set up on Linux, and logind (through
pam_systemd) hooks into that for that.

Lennart

-- 
Lennart Poettering, Red Hat

More information about the systemd-devel mailing list