<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="en-SE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">Hi Andrei,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;mso-fareast-language:EN-US">The systemd logs tells me that /run/user/1001 is mounted as uid=1001, but when I list the path /run/user/1001 it is empty and is owned by root. I can’t find the path
when I run the “mount” command. However, even for the successful case the path is not listed with the “mount” command.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;color:black;mso-fareast-language:EN-US">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black;mso-fareast-language:EN-US">Christopher Wong<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:black">From:
</span></b><span style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:black">Andrei Borzenkov <arvidjaar@gmail.com><br>
<b>Date: </b>Monday, 11 December 2023 at 19:34<br>
<b>To: </b>Christopher Wong <Christopher.Wong@axis.com>, Mantas Mikulėnas <grawity@gmail.com><br>
<b>Cc: </b>Systemd <systemd-devel@lists.freedesktop.org><br>
<b>Subject: </b>Re: [systemd-devel] Manual start of user@<uid>.service failed with permission denied<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt">On 11.12.2023 18:28, Christopher Wong wrote:<br>
> Hi Mantas,<br>
> <br>
> I have added ExecStartPre to user@.service<<a href="mailto:user@.service">mailto:user@.service</a>> to run “id” and “ls -la”:<br>
> <br>
> Dec 11 15:50:34 host systemd-user-runtime-dir[40287]: Will mount /run/user/1001 owned by 1001:118<br>
> Dec 11 15:50:34 host systemd-user-runtime-dir[40287]: Mounting tmpfs (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")...<br>
> Dec 11 15:50:34 host systemd[1]: Finished User Runtime Directory /run/user/1001.<br>
> Dec 11 15:50:34 host systemd[1]: Starting User Manager for UID 1001...<br>
> Dec 11 15:50:34 host id[40291]: uid=1001(ida) gid=118(ssh-users) groups=118(ssh-users),236(systemd-journal)<br>
> Dec 11 15:50:34 host ls[40293]: drwxr-xr-x 3 root root 60 Dec 11 15:50 .<br>
> Dec 11 15:50:34 host ls[40293]: drwxr-xr-x 98 root root 2120 Dec 11 15:30 ..<br>
> Dec 11 15:50:34 host ls[40293]: drwx------ 2 root root 40 Dec 11 15:50 1001<br>
> Dec 11 15:50:34 host systemd[40294]: systemd 254.7-2-g9edc143 running in user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK
-PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT default-hierarchy=unified)<br>
> <br>
> The /run/user/1001 belongs to root with mode 0700. Should this belong to root? <br>
<br>
No.<br>
<br>
> Is it because I manually start user@1001.service<<a href="mailto:user@1001.service">mailto:user@1001.service</a>> as root?<br>
<br>
No.<br>
<br>
> However, after user-runtime-dir@1001.service<mailto:user-runtime-dir@1001.service> has finished it startup, the user@1001.service<<a href="mailto:user@1001.service">mailto:user@1001.service</a>> is started as uid=1001 and therefore can’t create any directories
under /run/user/1001. Resulting in user@1001.service<<a href="mailto:user@1001.service">mailto:user@1001.service</a>> failed to start.<br>
> <br>
> If I add “ExecStartPre=+chown %i /run/user/%i” to user@.service<<a href="mailto:user@.service">mailto:user@.service</a>> then it works! But I am unsure if this is really the way fix this.<br>
<br>
As clearly seen from logs, systemd-user-runtime-dir mounts tmpfs with <br>
option uid=1001 over /run/user/1001. Is it still a mounted filesystem <br>
when you check it? It sounds like you see mount point which indeed has <br>
permissions 700 and owner root, not mounted filesystem.<br>
<br>
> <br>
> Regarding the testing, I have done both restart of everything and manual, but the result is the same. Now that I have the “Environment=XDG_RUNTIME_DIR=/run/user/%i” I no longer need to do “systemctl set-environment …”<br>
> <br>
> Thank you for taking your time!<br>
> <br>
> Best regards,<br>
> Christopher Wong<br>
> <br>
> <br>
> From: Mantas Mikulėnas <grawity@gmail.com><br>
> Date: Friday, 8 December 2023 at 21:53<br>
> To: Christopher Wong <Christopher.Wong@axis.com><br>
> Cc: Systemd <systemd-devel@lists.freedesktop.org><br>
> Subject: Re: [systemd-devel] Manual start of user@<uid>.service failed with permission denied<br>
> On Fri, Dec 8, 2023 at 6:53 PM Christopher Wong <Christopher.Wong@axis.com<mailto:Christopher.Wong@axis.com>> wrote:<br>
> Hi Mantas,<br>
> <br>
> I have from your suggestion done the following:<br>
> <br>
> Putting the below in user@.service<br>
> <br>
> [Service]<br>
> ...<br>
> Environment=XDG_RUNTIME_DIR=/run/user/%i<br>
> Environment=SYSTEMD_LOG_LEVEL=debug<br>
> <br>
> Putting the below in user-runtime-dir@.service<br>
> <br>
> [Service]<br>
> ...<br>
> Environment=SYSTEMD_LOG_LEVEL=debug<br>
> <br>
> Then I have disabled the global set-log-level debug (if this is also required, please let me know).<br>
> <br>
> Unlike set-environment that's not global, it only affects pid1.<br>
> <br>
> <br>
> What I can see from the logs is that user-runtime-dir@1001.service<mailto:user-runtime-dir@1001.service> seems to be started and mount /run/user/1001, but addition creation of directory under this mount is getting permission denied.<br>
> <br>
> Dec 08 17:33:29 host systemd[1]: Created slice User Slice of UID 1001.<br>
> Dec 08 17:33:29 host systemd[1]: Starting User Runtime Directory /run/user/1001...<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state UNSET -> OPENING<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: sd-bus: starting bus by connecting to /run/dbus/system_bus_socket...<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state OPENING -> AUTHENTICATING<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state AUTHENTICATING -> HELLO<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 signature=n/a error-name=n/a error-message=n/a<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.2536 path=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 signature=s error-name=n/a error-message=n/a<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state HELLO -> RUNNING<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get cookie=2 reply_cookie=0 signature=ss error-name=n/a
error-message=n/a<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=:1.323 destination=:1.2536 path=n/a interface=n/a member=n/a cookie=15 reply_cookie=2 signature=v error-name=n/a error-message=n/a<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Sent message type=method_call sender=n/a destination=org.freedesktop.login1 path=/org/freedesktop/login1 interface=org.freedesktop.DBus.Properties member=Get cookie=3 reply_cookie=0 signature=ss error-name=n/a
error-message=n/a<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Got message type=method_return sender=:1.323 destination=:1.2536 path=n/a interface=n/a member=n/a cookie=16 reply_cookie=3 signature=v error-name=n/a error-message=n/a<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Bus n/a: changing state RUNNING -> CLOSED<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Will mount /run/user/1001 owned by 1001:118<br>
> Dec 08 17:33:29 host systemd-user-runtime-dir[36278]: Mounting tmpfs (tmpfs) on /run/user/1001 (MS_NOSUID|MS_NODEV "mode=0700,uid=1001,gid=118,size=99426304,nr_inodes=24274")...<br>
> Dec 08 17:33:29 host systemd[1]: Finished User Runtime Directory /run/user/1001.<br>
> Dec 08 17:33:29 host systemd[1]: Starting User Manager for UID 1001...<br>
> Dec 08 17:33:29 host systemd[36280]: systemd 254.7-2-g9edc143 running in user mode for user 1001/ida. (-PAM -AUDIT -SELINUX -APPARMOR +IMA -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL -ACL +BLKID +CURL -ELFUTILS -FIDO2 -IDN2 -IDN -IPTC +KMOD -LIBCRYPTSETUP +LIBFDISK
-PCRE2 -PWQUALITY -P11KIT -QRENCODE -TPM2 +BZIP2 -LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON -UTMP -SYSVINIT default-hierarchy=unified)<br>
> Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible', ignoring: Permission denied<br>
> Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/reg', ignoring: Permission denied<br>
> Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/dir', ignoring: Permission denied<br>
> Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/fifo', ignoring: Permission denied<br>
> Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/sock', ignoring: Permission denied<br>
> Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/chr', ignoring: Permission denied<br>
> Dec 08 17:33:29 host systemd[36280]: Failed to create '/run/user/1001/systemd/inaccessible/blk', ignoring: Permission denied<br>
> <br>
> What's the ownership of /run/user/1001 and /run/user/1001/systemd after all of this?<br>
> <br>
> Are you rebooting between tests or just manually starting it?<br>
> <br>
> My current guess is that due to the earlier `systemctl set-environment`, some *other* thing that's running as root inherited the /run/user/1001 path and created root-owned directories there? That's the issue with setting global environment, it needs to be
unset afterwards...<br>
> <br>
> --<br>
> Mantas Mikulėnas<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>