[systemd-devel] start user-service only with UID greater than 1000
Lennart Poettering
lennart at poettering.net
Thu May 11 19:09:44 UTC 2017
On Wed, 10.05.17 08:39, Jakob Schürz (wertstoffe at nurfuerspam.de) wrote:
> Am 2017-05-09 um 18:19 schrieb Mantas Mikulėnas:
> > That might be nice... but, how come your services register a logind
> > session in the first place? That doesn't happen unless something
> > deliberately calls pam_systemd – and the service startup process
> > generally doesn't involve calling PAM in the first place. So something
> > doesn't add up. (Are you using su?)
>
> Good point!
> The User-Session for Debian-exim maybe really come from a su in a
> script... I rewrote this script, now the User-Session for Debian-gdm
> seems not to be startet again.
util-linux' "setpriv" is the correct to use for acquiring system user
privileges without setting up a full login session.
> But gdm... it starts this service, in case of starting a user-session
> for systemd.
> This seems to be another Problem, understanding the following answers
> from the others in this thread...
This is actually intended behaviour: gdm sessions are supposed to be
similar to normal sessions as possible.
BTW there's currently a PR being discussed that would permit you
to do per-user discrimination via a condition:
https://github.com/systemd/systemd/pull/5926
It's not merged yet though, and in its current version only permits
explicit user or group checks, not full ranges. (that said, extending
things like that definitely would make sense)
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list