<div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Dec 11, 2023, 17:28 Christopher Wong <<a href="mailto:Christopher.Wong@axis.com">Christopher.Wong@axis.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div lang="en-SE" link="blue" vlink="purple" style="word-wrap:break-word"> <div class="m_-2724165164821707795WordSection1"> Hi Mantas, I have added ExecStartPre to <a href="mailto:user@.service" target="_blank" rel="noreferrer">user@.service</a> to run “id” and “ls -la”: Dec 11 15:50:34 host systemd-user-runtime-dir[40287]: Will mount /run/user/1001 owned by 1001:118 Dec 11 15:50:34 host systemd-user-runtime-dir[40287]: Mounting tmpfs (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")... Dec 11 15:50:34 host systemd[1]: Finished User Runtime Directory /run/user/1001. Dec 11 15:50:34 host systemd[1]: Starting User Manager for UID 1001... Dec 11 15:50:34 host id[40291]: uid=1001(ida) gid=118(ssh-users) groups=118(ssh-users),236(systemd-journal) Dec 11 15:50:34 host ls[40293]: drwxr-xr-x 3 root root 60 Dec 11 15:50 . Dec 11 15:50:34 host ls[40293]: drwxr-xr-x 98 root root 2120 Dec 11 15:30 .. Dec 11 15:50:34 host ls[40293]: drwx------ 2 root root 40 Dec 11 15:50 1001 Dec 11 15:50:34 host systemd[40294]: systemd 254.7-2-g9edc143 running in user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT default-hierarchy=unified) The /run/user/1001 belongs to root with mode 0700. Should this belong to root?</div></div></blockquote></div></div><div dir="auto">No, it should be owned by UID 1001 (though still mode 0700).</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="en-SE" link="blue" vlink="purple" style="word-wrap:break-word"><div class="m_-2724165164821707795WordSection1"> Is it because I manually start <a href="mailto:user@1001.service" target="_blank" rel="noreferrer">user@1001.service</a> as root?</div></div></blockquote></div></div><div dir="auto">Which user started the .service is usually not important, all services get a "fresh" environment that's fully described by the unit file.</div><div dir="auto"> </div><div dir="auto">So even if you did 'systemctl start' as root, the unit has User=%i so the instance parameter tells it which UID to run as, so will be running as UID 1001. Likewise user-runtime-dir@1001 will get the UID for the mount from its instance name (you can see that the "Mounting tmpfs" message has the correct information).</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="en-SE" link="blue" vlink="purple" style="word-wrap:break-word"><div class="m_-2724165164821707795WordSection1"> However, after <a href="mailto:user-runtime-dir@1001.service" target="_blank" rel="noreferrer">user-runtime-dir@1001.service</a> has finished it startup, the <a href="mailto:user@1001.service" target="_blank" rel="noreferrer">user@1001.service</a> is started as uid=1001 and therefore can’t create any directories under /run/user/1001. Resulting in <a href="mailto:user@1001.service" target="_blank" rel="noreferrer">user@1001.service</a> failed to start. If I add “ExecStartPre=+chown %i /run/user/%i” to <a href="mailto:user@.service" target="_blank" rel="noreferrer">user@.service</a> then it works! But I am unsure if this is really the way fix this.</div></div></blockquote></div></div><div dir="auto"> </div><div dir="auto">So far, it sounds like the directory is being created *by something else* before user-runtime-dir@ is even invoked.</div><div dir="auto"> </div><div dir="auto">Try adding the same "-/bin/ls -lad /run/user/%i" as both ExecStartPre and ExecStartPost of user-runtime-dir@ (and maybe even a findmnt). If the directory already exists during ExecStartPre, start looking for other services or cronjobs, or tmpfiles.d configs, or 'su' invocations, which may cause it to be created.</div><div dir="auto"> </div><div dir="auto">There might also be something that chowns it to root *after* it was created correctly. If you actually see the tmpfs mount in 'findmnt' or in 'mount', but it's owned by root despite having uid=1001 in its mount options, something has chowned it...or your tmpfs feature is broken.</div><div dir="auto"> </div><div dir="auto">If you don't see it in findmnt at all, even after user-runtime-dir has succeeded – either the mount failed quietly, or... something (like systemd itself) has quietly unmounted it.</div><div dir="auto"> </div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="en-SE" link="blue" vlink="purple" style="word-wrap:break-word"><div class="m_-2724165164821707795WordSection1"> Regarding the testing, I have done both restart of everything and manual, but the result is the same. Now that I have the “Environment=XDG_RUNTIME_DIR=/run/user/%i” I no longer need to do “systemctl set-environment …” Thank you for taking your time! <div> Best regards, Christopher Wong </div> <div id="m_-2724165164821707795mail-editor-reference-message-container"> <div> <div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"> From: Mantas Mikulėnas <<a href="mailto:grawity@gmail.com" target="_blank" rel="noreferrer">grawity@gmail.com</a>> Date: Friday, 8 December 2023 at 21:53 To: Christopher Wong <<a href="mailto:Christopher.Wong@axis.com" target="_blank" rel="noreferrer">Christopher.Wong@axis.com</a>> Cc: Systemd <<a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank" rel="noreferrer">systemd-devel@lists.freedesktop.org</a>> Subject: Re: [systemd-devel] Manual start of user@<uid>.service failed with permission denied </div> <div> <div> <div> On Fri, Dec 8, 2023 at 6:53 PM Christopher Wong <<a href="mailto:Christopher.Wong@axis.com" target="_blank" rel="noreferrer">Christopher.Wong@axis.com</a>> wrote: </div> <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"> <div> <div> <div> Hi Mantas, I have from your suggestion done the following: Putting the below in user@.service [Service] ... Environment=XDG_RUNTIME_DIR=/run/user/%i Environment=SYSTEMD_LOG_LEVEL=debug Putting the below in user-runtime-dir@.service [Service] ... Environment=SYSTEMD_LOG_LEVEL=debug Then I have disabled the global set-log-level debug (if this is also required, please let me know). </div> </div> </div> </blockquote> <div> </div> <div> Unlike set-environment that's not global, it only affects pid1. </div> <div> </div> <div> </div> <blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"> <div> <div> <div> What I can see from the logs is that <a href="mailto:user-runtime-dir@1001.service" target="_blank" rel="noreferrer">user-runtime-dir@1001.service</a> seems to be started and mount /run/user/1001, but addition creation of directory under this mount is getting permission denied. Dec 08 17:33:29 host systemd[1]: Created slice User Slice of UID 1001. Dec 08 17:33:29 host systemd[1]: Starting User Runtime Directory /run/user/1001... Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state UNSET -> OPENING Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: sd-bus: starting bus by connecting to /run/dbus/system_bus_socket... Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state OPENING -> AUTHENTICATING Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state AUTHENTICATING -> HELLO Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.2536 path=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state HELLO -> RUNNING Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get cookie=2 reply_cookie=0 signature=ss error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=:1.323 destination=:1.2536 path=n/a interface=n/a member=n/a cookie=15 reply_cookie=2 signature=v error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get cookie=3 reply_cookie=0 signature=ss error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=:1.323 destination=:1.2536 path=n/a interface=n/a member=n/a cookie=16 reply_cookie=3 signature=v error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state RUNNING -> CLOSED Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Will mount /run/user/1001 owned by 1001:118 Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Mounting tmpfs (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")... Dec 08 17:33:29 host systemd[1]: Finished User Runtime Directory /run/user/1001. Dec 08 17:33:29 host systemd[1]: Starting User Manager for UID 1001... Dec 08 17:33:29 host systemd[36280]: systemd 254.7-2-g9edc143 running in user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT default-hierarchy=unified) Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/reg', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/dir', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/fifo', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/sock', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/chr', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/blk', ignoring: Permission denied </div> </div> </div> </blockquote> <div> </div> <div> What's the ownership of /run/user/1001 and /run/user/1001/systemd after all of this? </div> <div> </div> <div> Are you rebooting between tests or just manually starting it? </div> <div> </div> <div> My current guess is that due to the earlier `systemctl set-environment`, some *other* thing that's running as root inherited the /run/user/1001 path and created root-owned directories there? That's the issue with setting global environment, it needs to be unset afterwards... </div> </div> -- <div> <div> Mantas Mikulėnas </div> </div> </div> </div> </div> </div> </div> </blockquote></div></div></div>