[systemd-devel] Best Practices with homectl ↔ passwd/groups/shadow ?
Mantas Mikulėnas
grawity at gmail.com
Mon Jul 29 15:42:46 UTC 2024
I'm not sure if that's related to homectl - it seems that you're trying to
specify User= and Group= within a user service. The whole "systemd --user"
service manager (user at xxx.service) is unprivileged and runs as your user,
so it cannot change its UID anyway or set any supplementary groups except
those that it already has.
On Mon, Jul 29, 2024, 17:43 Divine Eguzouwa <divine.eguzouwa at gmail.com>
wrote:
> Is it wise to use only `homectl` to manage human users *without* reciprocal
> entries in /etc/passwd, /etc/group, or /etc/shadow?
>
> $ systemd-analyze security wireplumber --user
>
> | NAME | Description | Exposure |
>
> | ----------------------| -------------- | ----------- |
>
> | ❌ User=/DynamicUser= | Service runs.. | 0.4 |
>
> → Overall exposure level for wireplumber.service...
>
>
> $ systemctl edit wireplumber.service --user
> ### Editing
> /home/me/.config/systemd/user/wireplumber.service.d/override.conf
> ### Anything between here and the comment below will become the contents
> of the...
>
> [Service]
>
> User=%u
>
> Group=%g
>
> ### Edits below this comment will be discarded
> ...
>
> $ systemctl daemon-reload --user
>
> $ systemctl restart wireplumber.service --user
> $ journalctl -r --unit=wireplumber --user
> systemd[851]: Failed to start Multimedia Service Session Manager.
> systemd[851]: wireplumber.service: Failed with result 'exit-code'.
> systemd[851]: wireplumber.service: Start request repeated too quickly.
> systemd[851]: wireplumber.service: Scheduled restart job, restart counter
> is at 5.
> systemd[851]: wireplumber.service: Failed with result 'exit-code'.
> systemd[851]: wireplumber.service: Main process exited, code=exited,
> status=216/GROUP
> (eplumber)[11087]: wireplumber.service: Failed at step GROUP spawning
> /usr/bin/wireplumber: Operation not permitted
> *(eplumber)[11087]: wireplumber.service: Failed to determine supplementary
> groups: Operation not permitted*
> systemd[851]: Started Multimedia Service Session Manager.
>
>
>
> homectl should already know of this user's supplementary groups, unless
> homectl is searching for them in `/etc/groups` instead?
>
> --D
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240729/476129f5/attachment.htm>
More information about the systemd-devel
mailing list