[Pkg-shadow-devel] Bug#813789: systemd: su -l does not start/attach to user session

Michael Biebl biebl at debian.org
Fri Feb 5 10:36:34 UTC 2016 

Am 02/05/2016 um 10:51 AM schrieb Boris Kolpackov:
> Package: systemd
> Version: 215-17+deb8u2
> Severity: normal
> 
> Hi,
> 
> I keep seeing in various places (Debian-related and otherwise) that
> su does not start a new systemd user session because it is not a
> proper login. The symptom is:

Actually in Debian, su *does* start a logind session. If you look at

/etc/pam.d/su it includes /etc/pam.d/common-session

If libpam-systemd is installed, there will be an entry in common-session
like this:
session	optional	pam_systemd.so

If that line is missing, then most likely common-session had local
modifications and those are preserved by pam-auth-update.

So we *do* start a logind session for both su and su -l. It should
probably only be done for the latter. We could actually argue that this
is a bug in Debian in the su configuration.

Fedora/Redhat differentiate su and su -l and ship different pam configs:
/etc/pam.d/su and
/etc/pam.d/su-l

> # su -l boris
> $ systemctl --user status
> Failed to get D-Bus connection: Connection refused

If libpam-systemd is installed and enabled, that should actually work.


> To me, it seems su -/-l/--login is just like login (what is the
> conceptual difference between su -l boris and ssh boris at 127.0.0.1?).
> It also does not attach to a (lingering) user session, unless I
> manually do:
> 
> export XDG_RUNTIME_DIR=/run/user/`id -u`
> 
> [Note that in this case XDG_SESSION_ID will still be bogus but
> apparently it is harmless since it is for information purposes
> only.]
> 
> It seems the decision whether it is a proper login or not is
> made somewhere in /etc/pam.d/. While looking through the files
> I noticed that the runuser-l file in this directory (but not
> runuser) contains this line:
> 
> -session        optional        pam_systemd.so

If that is the only file with a pam_systemd line, then libpam-systemd is
either not installed or not enabled due to local modifications in
common-session.

> While this may seem like it should be the solution, runuser -l
> still doesn't start/attach to the user session. So the purpose
> of this extra line is still a mystery to me.
> 
> For completeness, let me mention /usr/share/pam-configs/systemd
> which seems related but I am not sure how.

It's unclear to me, why you filed this as an issue against systemd?
I don't see anything that the systemd package can do about the su
behaviour. su is shipped by the login package.


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20160205/9991de63/attachment.sig>

More information about the Pkg-shadow-devel mailing list