Sudo Command – Why Does sudo -i Not Set XDG_RUNTIME_DIR for Target User?

pamsshsudosystemd

XDG_RUNTIME_DIR is necessary for systemctl --user to work.

I have set up ubuntu server 16.04 to run systemd user sessions. Now, when trying to administer them, I find that when changin a user via sudo -u $user -i or even su - $user, the environment does not have XDG_RUNTIME_DIR set, preventing systemctl --user from working. However, when I ssh straight into that user, it is set correctly.

If I understand the documentation correctly, this should be set by libpam-systemd when creating the user session. The user slice is started correctly, as the directory to which XDG_RUNTIME_DIR should point(/run/users/$uid) exists. I'm hesitant to just hardcode it in, say, .bash_profile, because that seems hacky (albeit working), when pam should be taking care of it.

I can, of course, add XDG_RUNTIME_DIR to env_keep in sudoers, but that would just preserve the sudoing user's environment, which is not what I want. I want the target user's environment.

What I'm really wondering, though, is how come the session is set up correctly with ssh, but not with su or sudo -i?

Best Answer

I have replicated this issue on my Fedora 25 system.

I found a very suspicious condition in the source code. https://github.com/systemd/systemd/blob/f97b34a/src/login/pam_systemd.c#L439 It looks as if it was written with normal sudo in mind but not sudo -u non-root-user.

machinectl shell --uid=non-root-user worked as you requested.

systemd-run did not appear to work as desired, despite the reference to it in the machinectl documentation.

Some machinectl commands don't work if you have enabled SELinux at the moment, and these specific commands didn't work for me until I did setenforce 0. However I'm in the middle of trying workarounds to get machinectl working as I want it to w.r.t SELinux, so it's possible my fiddling is what causes e.g. machinectl shell to timeout.

EDIT: I think this code was introduced after this discussion. And apparently su - / sudo -i could be made to work, but no-one has implemented it (still).

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

This looks like an intentional configuration in Arch Linux. See this for discussion with links to solutions.

The best tip there seems to be adding "DISPLAY XAUTHORITY" to to the "env_keep" defaults in /etc/sudoers.

Fedora has in /etc/sudoers the following and this allows sudo somexapp to succeed.

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Ssh – systemd service that needs .ssh/id_dsa password

You need to put the identity files containing not encrypted private key into ~/.ssh directory of the user the service is running. Also, you need to set the HOME environment variable for it, for example if it is run as root:

ExecStart=/usr/bin/env HOME=/root /usr/bin/screen -S smd-loop-win -md "smd-loop"

Alternatively, if you have a control on how smd-loop invokes ssh you may add -I option to tell the ssh an identity file to use.

In any case the identity file has to be owned by this user and has to be accessible by this user only (chmod 0400 ~/.ssh/id*) .

Best Answer

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

Ssh – systemd service that needs .ssh/id_dsa password

Related Question