[systemd-devel] start user-service only with UID greater than 1000
Simon McVittie
smcv at collabora.com
Tue Jul 25 22:28:43 UTC 2017
On Wed, 26 Jul 2017 at 00:02:06 +0200, Jakob Schürz wrote:
> I have no idea, why this users get a PAM-Session.
> Now i can see there is also a systemd --user process for
> debian-security-support:
>
> Jul 25 23:54:49 aldebaran systemd[1]: Starting User Manager for UID 137...
> Jul 25 23:54:49 aldebaran systemd[6366]: pam_unix(systemd-user:session):
> session opened for user debian-security-support by (uid=0)
>From https://sources.debian.net/src/debian-security-support/2017.06.02/debian/debian-security-support.postinst/
it looks as though that package is using su. It should probably be using
runuser -u "$USERNAME" /bin/bash -c "..."
instead, because whatever the question is, su is usually the wrong answer.
Presumably the other daemons you mentioned are also using su in a cron job
or maintainer script or something.
On my Debian system, /etc/pam.d/su pulls in /etc/pam.d/common-session,
which uses pam_systemd; but /etc/pam.d/runuser does not. So anything that
calls su will get a login session, with the side effect of a `systemd --user`,
but anything that calls runuser will not get a login session and a
`systemd --user`.
S
More information about the systemd-devel
mailing list