LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

September 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS September 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: root is unable to open display
From:	Nico Kadel-Garcia <[log in to unmask]>
Reply To:	Nico Kadel-Garcia <[log in to unmask]>
Date:	Sun, 6 Sep 2015 10:04:52 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (67 lines)

On Sun, Sep 6, 2015 at 6:51 AM, Tom H <[log in to unmask]> wrote:
> On Sat, Sep 5, 2015 at 10:42 AM, Nico Kadel-Garcia <[log in to unmask]> wrote:
>> On Sat, Sep 5, 2015 at 4:52 AM, Tom H <[log in to unmask]> wrote:
>
>
>>> systemd introduced "machinectl shell localhost" in systemd 225 that
>>> essentially does the same as "ssh localhost" from an env perspective.
>>>
>>> Since it's being rebased to 219 for SL 7.2, perhaps that command'll be
>>> included in SL 7.4 with a systemd 22x (or it might be backported at
>>> some point...).
>>
>> systemd's tendency to find a particular issue with a known, stable
>> toolkit and then bolt it onto systemd is scaring the tar out of me.
>> Attempting to replace su or sudo seems to be yet another example of
>> this. The subject has been discussed, heatedly, in the Fedora mailing
>> list.
>
> AFAIR there was a systemd-devel@ thread and various bug reports about
> people having a problem with su/sudo when using them to launch X apps
> because XDG_RUNTIME_DIR was the su-ing/sudo-ing user's and perms of
> XDG_RUNTIME_DIR or of its contents were being changed to root because
> that directory couldn't be changed within a session.
>
> So the problem's that su doesn't create a new login session but su was
> never intended for this. Its man page even says "The su command is
> used to become another user during a login session".

Right. "su" doesn't. "sudo" can, by setting /etc/sudoers or
/etc/sudoers.d options.

> Lennart P offered to change the behavior of "su -l" and "sudo -i" via
> a pam argument to create a new session. I don't remember anyone
> writing a patch to put this change into motion and I assume that
> distros have been working around the problem for launching their
> various DEs' system-settings apps.

There are various approaches. They relied on using small, known,
tested tools and worked *within* those tools to leverage the desired
behavior.

> I don't know why the pam patch never materialized but, more or less
> two years later, using machinectl to switch users must've seemed
> natural. AFAIUI it looks like a login to localhost-as-a-container.

Yeah. The problem is that it's adding a systemd only compatible tool,
which means Linux only, to create Yet Another Root Access Tool(tm).

> But the change was introduced with an "su is broken" meme when it
> would've been more accurate to say "using su as gksu is broken" or
> "using su to launch an X app is broken" because using su/sudo at the
> command line's fine. systemd upstream must like to shoot itself in the
> foot communication-wise.

Yeah.

>> I'm afraid that su replacement looks like a Linux-only major security
>> problem begging to happen.
>
> There's "doas" in openbsd so "we" aren't the only ones with an OS-specific tool.

I've not been running OpenBSD for some time, but I believe you. That
one actually looks interesting, and I'd have more confidence in it
with its very small and limited behavior than I would with integrating
"su" like behavior into the growing Sargasso Sea of accumulated debris
that is systemd.

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV