<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 22, 2019 at 3:52 PM Reindl Harald <<a href="mailto:h.reindl@thelounge.net">h.reindl@thelounge.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
Am 22.01.19 um 08:12 schrieb Mantas Mikulėnas:<br>
> On Tue, Jan 22, 2019 at 3:46 AM Reindl Harald <<a href="mailto:h.reindl@thelounge.net" target="_blank">h.reindl@thelounge.net</a><br>
> <mailto:<a href="mailto:h.reindl@thelounge.net" target="_blank">h.reindl@thelounge.net</a>>> wrote:<br>
> <br>
> <br>
> "ProtectSystem=full" with the setup below just works, "su -" in a<br>
> konsole within the graphical session don't gain write permissions<br>
> <br>
> Tasks: 4<br>
> why?<br>
> <br>
> shouldn't everything started after the graphical login interherit any<br>
> settings from teh display-manager service and run under it's cgroup?<br>
> <br>
> <br>
> No, one of the first things done during login is to create a new logind<br>
> session with associated cgroup (under user.slice) and move your process<br>
> into it.<br>
<br>
so that ProtectSystem and FS namespaces are properly interhited is more<br>
luck than by design?<br></blockquote><div><br></div><div>Namespaces are not cgroup parameters.</div><div><br></div><div>I don't think namespacing a user-login service was ever part of the design...</div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Mantas Mikulėnas</div></div></div>