[systemd-devel] graphical sessions inherits display-maanger only partly
Reindl Harald
h.reindl at thelounge.net
Tue Jan 22 13:52:39 UTC 2019
Am 22.01.19 um 08:12 schrieb Mantas Mikulėnas:
> On Tue, Jan 22, 2019 at 3:46 AM Reindl Harald <h.reindl at thelounge.net
> <mailto:h.reindl at thelounge.net>> wrote:
>
>
> "ProtectSystem=full" with the setup below just works, "su -" in a
> konsole within the graphical session don't gain write permissions
>
> Tasks: 4
> why?
>
> shouldn't everything started after the graphical login interherit any
> settings from teh display-manager service and run under it's cgroup?
>
>
> No, one of the first things done during login is to create a new logind
> session with associated cgroup (under user.slice) and move your process
> into it.
so that ProtectSystem and FS namespaces are properly interhited is more
luck than by design?
the idea is to restrict everything running in grpahical sessions
administration is always done via sshd
More information about the systemd-devel
mailing list