LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: root is unable to open display
From:	Tom H <[log in to unmask]>
Reply To:	Tom H <[log in to unmask]>
Date:	Sun, 6 Sep 2015 06:51:59 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (49 lines)

On Sat, Sep 5, 2015 at 10:42 AM, Nico Kadel-Garcia <[log in to unmask]> wrote:
> On Sat, Sep 5, 2015 at 4:52 AM, Tom H <[log in to unmask]> wrote:

>> systemd introduced "machinectl shell localhost" in systemd 225 that
>> essentially does the same as "ssh localhost" from an env perspective.
>>
>> Since it's being rebased to 219 for SL 7.2, perhaps that command'll be
>> included in SL 7.4 with a systemd 22x (or it might be backported at
>> some point...).
>
> systemd's tendency to find a particular issue with a known, stable
> toolkit and then bolt it onto systemd is scaring the tar out of me.
> Attempting to replace su or sudo seems to be yet another example of
> this. The subject has been discussed, heatedly, in the Fedora mailing
> list.

AFAIR there was a systemd-devel@ thread and various bug reports about
people having a problem with su/sudo when using them to launch X apps
because XDG_RUNTIME_DIR was the su-ing/sudo-ing user's and perms of
XDG_RUNTIME_DIR or of its contents were being changed to root because
that directory couldn't be changed within a session.

So the problem's that su doesn't create a new login session but su was
never intended for this. Its man page even says "The su command is
used to become another user during a login session".

Lennart P offered to change the behavior of "su -l" and "sudo -i" via
a pam argument to create a new session. I don't remember anyone
writing a patch to put this change into motion and I assume that
distros have been working around the problem for launching their
various DEs' system-settings apps.

I don't know why the pam patch never materialized but, more or less
two years later, using machinectl to switch users must've seemed
natural. AFAIUI it looks like a login to localhost-as-a-container.

But the change was introduced with an "su is broken" meme when it
would've been more accurate to say "using su as gksu is broken" or
"using su to launch an X app is broken" because using su/sudo at the
command line's fine. systemd upstream must like to shoot itself in the
foot communication-wise.

> I'm afraid that su replacement looks like a Linux-only major security
> problem begging to happen.

There's "doas" in openbsd so "we" aren't the only ones with an OS-specific tool.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV