Hi, > Then, I want to manually launch my window manager, in a new logind session for > my user, on a different tty. > > I tried adding User and PAMName to my window manager unit awesome.service > > <...> > > The unit fails with message > > systemd[21209]: Failed at step GROUP spawning > /home/abdo/.config/systemd/scripts/awesome.sh: Operation not permitted
Ok, more to the point. I think initgroups in core/execute.c always needs privileges. It is always called when User=blah is set on a service file and always fails on systemd user instances for unprivileged users. This prevents from using PAM within a systemd user instance, for example. I attach a patch that makes a call to initgroups only when we ask for a different user than the one for the running instance (when the group access list may be different). I'm not certain whether this would break something else, though... Also, there is dbus policy preventing from accessing the CreateSession method in logind1.Manager from unprivileged users. Is this intentional? Thanks, Abdó Roig.
>From ebf7783534d3aa3e56c20dba7450fd2169f3521f Mon Sep 17 00:00:00 2001 From: Abdo Roig-Maranges <[email protected]> Date: Mon, 29 Jul 2013 11:40:02 +0200 Subject: [PATCH] core: call initgroups only when uid changes initgroups always requires the CAP_SETGID capability, and fails on unprivileged systemd instances. --- src/core/execute.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index 43b571e..e539673 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -576,7 +576,7 @@ static int ask_for_confirmation(char *response, char **argv) { return r; } -static int enforce_groups(const ExecContext *context, const char *username, gid_t gid) { +static int enforce_groups(const ExecContext *context, const char *username, uid_t uid, gid_t gid) { bool keep_groups = false; int r; @@ -594,8 +594,8 @@ static int enforce_groups(const ExecContext *context, const char *username, gid_ return r; } - /* First step, initialize groups from /etc/groups */ - if (username && gid != 0) { + /* First step, initialize groups from /etc/groups if different uid */ + if (username && gid != 0 && uid != getuid()) { if (initgroups(username, gid) < 0) return -errno; @@ -1300,7 +1300,7 @@ int exec_spawn(ExecCommand *command, #endif if (apply_permissions) { - err = enforce_groups(context, username, gid); + err = enforce_groups(context, username, uid, gid); if (err < 0) { r = EXIT_GROUP; goto fail_child; -- 1.8.3.4
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
