<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="en-SE" link="blue" vlink="purple" style="word-wrap:break-word"> <div class="WordSection1"> Hi Belanger,<o:p></o:p> <o:p> </o:p> Thank you for your suggestion! I tried putting RuntimeDirectory= into the <a href="mailto:user@.service">user@.service</a>. I suppose I shouldn’t need to do this since the runtime directory should be fixed by the service <a href="mailto:user-runtime-dir@.service">user-runtime-dir@.service</a>. Result is that it didn’t work.<o:p></o:p> <o:p> </o:p> <div> Best regards,<o:p></o:p> Christopher Wong<o:p></o:p> </div> <o:p> </o:p> <o:p> </o:p> <div id="mail-editor-reference-message-container"> <div> <div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"> From: Belanger, Martin <Martin.Belanger@dell.com> Date: Monday, 11 December 2023 at 17:43 To: Christopher Wong <Christopher.Wong@axis.com>, Mantas Mikulėnas <grawity@gmail.com> Cc: Systemd <systemd-devel@lists.freedesktop.org> Subject: RE: [systemd-devel] Manual start of user@<uid>.service failed with permission denied<o:p></o:p> </div> <div> Have you tried using "RuntimeDirectory=" (and optionally "RuntimeDirectoryPreserve=") Ref: <a href="https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RuntimeDirectory="> https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RuntimeDirectory=</a> Regards, Martin From: systemd-devel <systemd-devel-bounces@lists.freedesktop.org> On Behalf Of Christopher Wong Sent: Monday, December 11, 2023 10:28 AM To: Mantas Mikulėnas <grawity@gmail.com> Cc: Systemd <systemd-devel@lists.freedesktop.org> Subject: Re: [systemd-devel] Manual start of user@<uid>.service failed with permission denied [EXTERNAL EMAIL] Hi Mantas, I have added ExecStartPre to <a href="mailto:user@.service">mailto:user@.service</a> to run “id” and “ls -la”: Dec 11 15:50:34 host systemd-user-runtime-dir[40287]: Will mount /run/user/1001 owned by 1001:118 Dec 11 15:50:34 host systemd-user-runtime-dir[40287]: Mounting tmpfs (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")... Dec 11 15:50:34 host systemd[1]: Finished User Runtime Directory /run/user/1001. Dec 11 15:50:34 host systemd[1]: Starting User Manager for UID 1001... Dec 11 15:50:34 host id[40291]: uid=1001(ida) gid=118(ssh-users) groups=118(ssh-users),236(systemd-journal) Dec 11 15:50:34 host ls[40293]: drwxr-xr-x 3 root root 60 Dec 11 15:50 . Dec 11 15:50:34 host ls[40293]: drwxr-xr-x 98 root root 2120 Dec 11 15:30 .. Dec 11 15:50:34 host ls[40293]: drwx------ 2 root root 40 Dec 11 15:50 1001 Dec 11 15:50:34 host systemd[40294]: systemd 254.7-2-g9edc143 running in user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT default-hierarchy=unified) The /run/user/1001 belongs to root with mode 0700. Should this belong to root? Is it because I manually start <a href="mailto:user@1001.service">mailto:user@1001.service</a> as root? However, after <a href="mailto:user-runtime-dir@1001.service">mailto:user-runtime-dir@1001.service</a> has finished it startup, the <a href="mailto:user@1001.service">mailto:user@1001.service</a> is started as uid=1001 and therefore can’t create any directories under /run/user/1001. Resulting in <a href="mailto:user@1001.service">mailto:user@1001.service</a> failed to start. If I add “ExecStartPre=+chown %i /run/user/%i” to <a href="mailto:user@.service"> mailto:user@.service</a> then it works! But I am unsure if this is really the way fix this. Regarding the testing, I have done both restart of everything and manual, but the result is the same. Now that I have the “Environment=XDG_RUNTIME_DIR=/run/user/%i” I no longer need to do “systemctl set-environment …” Thank you for taking your time! Best regards, Christopher Wong From: Mantas Mikulėnas <<a href="mailto:grawity@gmail.com">mailto:grawity@gmail.com</a>> Date: Friday, 8 December 2023 at 21:53 To: Christopher Wong <<a href="mailto:Christopher.Wong@axis.com">mailto:Christopher.Wong@axis.com</a>> Cc: Systemd <<a href="mailto:systemd-devel@lists.freedesktop.org">mailto:systemd-devel@lists.freedesktop.org</a>> Subject: Re: [systemd-devel] Manual start of mailto:user@<uid>.service failed with permission denied On Fri, Dec 8, 2023 at 6:53 PM Christopher Wong <<a href="mailto:Christopher.Wong@axis.com">mailto:Christopher.Wong@axis.com</a>> wrote: Hi Mantas, I have from your suggestion done the following: Putting the below in <a href="mailto:user@.service">mailto:user@.service</a> [Service] ... Environment=XDG_RUNTIME_DIR=/run/user/%i Environment=SYSTEMD_LOG_LEVEL=debug Putting the below in <a href="mailto:user-runtime-dir@.service">mailto:user-runtime-dir@.service</a> [Service] ... Environment=SYSTEMD_LOG_LEVEL=debug Then I have disabled the global set-log-level debug (if this is also required, please let me know). Unlike set-environment that's not global, it only affects pid1. What I can see from the logs is that <a href="mailto:user-runtime-dir@1001.service"> mailto:user-runtime-dir@1001.service</a> seems to be started and mount /run/user/1001, but addition creation of directory under this mount is getting permission denied. Dec 08 17:33:29 host systemd[1]: Created slice User Slice of UID 1001. Dec 08 17:33:29 host systemd[1]: Starting User Runtime Directory /run/user/1001... Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state UNSET -> OPENING Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: sd-bus: starting bus by connecting to /run/dbus/system_bus_socket... Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state OPENING -> AUTHENTICATING Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state AUTHENTICATING -> HELLO Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.2536 path=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state HELLO -> RUNNING Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get cookie=2 reply_cookie=0 signature=ss error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=:1.323 destination=:1.2536 path=n/a interface=n/a member=n/a cookie=15 reply_cookie=2 signature=v error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get cookie=3 reply_cookie=0 signature=ss error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=:1.323 destination=:1.2536 path=n/a interface=n/a member=n/a cookie=16 reply_cookie=3 signature=v error-name=n/a error-message=n/a Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state RUNNING -> CLOSED Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Will mount /run/user/1001 owned by 1001:118 Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Mounting tmpfs (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")... Dec 08 17:33:29 host systemd[1]: Finished User Runtime Directory /run/user/1001. Dec 08 17:33:29 host systemd[1]: Starting User Manager for UID 1001... Dec 08 17:33:29 host systemd[36280]: systemd 254.7-2-g9edc143 running in user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK -PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT default-hierarchy=unified) Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/reg', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/dir', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/fifo', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/sock', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/chr', ignoring: Permission denied Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/blk', ignoring: Permission denied What's the ownership of /run/user/1001 and /run/user/1001/systemd after all of this? Are you rebooting between tests or just manually starting it? My current guess is that due to the earlier `systemctl set-environment`, some *other* thing that's running as root inherited the /run/user/1001 path and created root-owned directories there? That's the issue with setting global environment, it needs to be unset afterwards... -- Mantas Mikulėnas<o:p></o:p> </div> </div> </div> </div> </body> </html>