On 11/11/2014 01:11 AM, Lennart Poettering wrote:
Yet, when root uses "su - username" to change the user,
no "user-xxx.slice" is created, not even a new "session"
below "user-0.slice" is created, causing the wrong
MemoryLimit to be applied:
...
Using "su" doesn't really open a new session, it really just changes
the numeric UID, and very few other things. It does not create a new
bus, doesn't pass access to the audio stack, does not create a new
tty, no new XDG_RUNTIME_DIR or anything else. It's a mix and match you
get between the old user and the new user, and part of that is that no
new session is registered by logind, and hence no resources are
applied.
"man su" told me:
It is recommended to always use the --login option (instead it's shortcut -) to
avoid side effects caused by mixing environments.
...
-, -l, --login
Starts the shell as login shell with an environment similar to a
real login:
... and so I did use "-" in "su - username", assuming this would yield
a behaviour "similar to a real login".
If "su - username" cannot be used to impersonate a user, then what
other method could?
On CentOS 6 I was using a script invoked from /etc/pam.d/su-l to
assign the process ID to the cgroup assigned to the user, but it seems
awkward to do something like this while systemd is shuffling the
content of /sys/fs/cgroup, too.
Regards,
Lutz Vieweg
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
