[systemd-devel] run0 and run0 versus machinectl shell
Dominick Grift
dominick.grift at defensec.nl
Thu Oct 17 12:48:45 UTC 2024
Lennart Poettering <lennart at poettering.net> writes:
> On Do, 17.10.24 09:58, Dominick Grift (dominick.grift at defensec.nl) wrote:
>
>>
>> I am encountering three issues with run0:
>>
>> 1. not upstream related but Debian (currently) does not install
>> systemd-run0 pamname
>
> Not sure what "pamname" means? Do you mean the PAM stack configuration
> file for run0?
yes
>
>> 2. the man page is incorrect in stating that everything goes through
>> systemd-run0 pam stack because if you omit --user= then run0 will not go
>> through pam (you can verify that by looking at the ownership of the
>> created pty. pty ownership is not reset to root.)
>
> Hmm? I does work fine here? not sure what pty ownership has to do with
> PAM? And which pty precsiely?
>
Let me try to make this as simple as possible:
there are inconsistencies between running `run0` and `run0 --user=root`:
run0
ls -alh `tty`
run0 --user=root
ls -alh `tty`
This is only one example. There are other inconsistencies.
>> 3. the way run0 is implemented differs from the way machinectl shell
>> implements this functionality. I am not sure so bear with me but with
>> machinectl shell, the shell gets executed by the systemd --user instance
>> whereas with run0 the shell gets executed by systemd --system
>> instance. This inconsistency potentially causes issues with pam because
>> systemd --user is not -/bin/bash. Ipersonally prefer the way machinectl
>> shell does it but I will be honest that this seems not perfect
>> either.
>
> I don#t follow? What do you mean by "systemd --user" is not
> "-/bin/bash"?
I will table this issue for the sake of focussing on the issue
above. Once we have an understanding on that issue I might bring this
next issue up again.
Thanks in advance.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
--
gpg --locate-keys dominick.grift at defensec.nl (wkd)
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod at defensec.nl
More information about the systemd-devel
mailing list