FS#37644 - [util-linux] Missing files: /etc/pam.d/runuser{,-l}

Attached to Project: Arch Linux
Opened by Alain Kalker (ackalker) - Monday, 04 November 2013, 20:07 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 05 January 2019, 15:31 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dave Reisner (falconindy)
Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

According to util-linux-2.24/Documentation/PAM-configuration.txt and runuser(1), distributions now need to supply their own PAM configuration files /etc/pam.d/runuser{,-l} .
These files are currently missing in pambase.

Since only root can use `runuser -l <user> ...`, and this command is very useful for starting 'user' sessions from systemd services, (politics aside[1][2]), I would like to strongly suggest using a configuration like

/etc/pam.d/runuser-l:
---------------------
#%PAM-1.0

auth sufficient pam_rootok.so
session include system-login
---

This way, things like media centers, VNC servers and the like can be managed very conveniently using systemd service files.

For example (tested using the example runuser-l configuration file):

/etc/systemd/system/xbmc@.service:
----------------------------------
[Unit]
Description=XBMC on %I
Conflicts=getty@%i.service
After=systemd-user-sessions.service getty@%i.service plymouth-quit.service

[Service]
ExecStart=/usr/bin/runuser -l xbmc -c "/usr/bin/startx /usr/bin/xbmc --standalone"
ExecStop=/usr/bin/runuser -l xbmc -c "/usr/bin/pkill xbmc.bin"
StandardInput=tty
StandardOutput=tty
TTYPath=/dev/%I
Restart=always

[Install]
WantedBy=graphical.target
---

This can be used to start XBMC standalone on any tty:

# systemctl start xbmc@tty2.service

or on system startup (when not using any DM):

# systemctl enable xbmc@tty1

Additional info:
* package version(s)
pambase 20130928-1
util-linux 2.24-1
* config and/or log files etc.


Steps to reproduce:
This task depends upon

Closed by  Dave Reisner (falconindy)
Saturday, 05 January 2019, 15:31 GMT
Reason for closing:  Implemented
Additional comments about closing:  testing/util-linux-2.33-3
Comment by Alain Kalker (ackalker) - Monday, 04 November 2013, 20:09 GMT Comment by Dave Reisner (falconindy) - Thursday, 07 November 2013, 22:37 GMT
> this command is very useful for starting 'user' sessions from systemd services
curious why you wouldn't use the User/Group keys in the service instead.
Comment by Alain Kalker (ackalker) - Thursday, 07 November 2013, 23:01 GMT
Because sometimes one wants more than just run a command as a user, `runuser -l` creates a user *session* and runs the command in it. For the XBMC service example, this means that XBMC can perform suspend/shutdown/restart, has access to disks, etc., without the need for the user 'xbmc' to be a member of lots of groups (currently, the 'xbmc' package makes user 'xbmc' a member of groups 'disk', 'network', 'video', 'audio', etc.), which goes against systemd's way of managing resources using sessions and seats.
Comment by Dave Reisner (falconindy) - Thursday, 07 November 2013, 23:09 GMT
You can assign a PAMName= for your XBMC service to create a PAM session for the user.
Comment by Alain Kalker (ackalker) - Friday, 08 November 2013, 00:11 GMT
Tried with the following service file:

--[xbmc-pam@service]--
[Unit]
Description=XBMC on %I
Conflicts=getty@%i.service
After=systemd-user-sessions.service getty@%i.service plymouth-quit.service

[Service]
User=xbmc
Group=xbmc
ExecStart=/usr/bin/startx /usr/bin/xbmc --standalone
ExecStop=/usr/bin/pkill xbmc.bin
PAMName=system-login
StandardInput=tty
StandardOutput=tty
TTYPath=/dev/%I
Restart=always

[Install]
WantedBy=graphical.target
--

Starting it seemed to work, but after stopping it, all kinds of weirdness started happening (lots of errors on autocomplete, i3 (on VT1 acting up), which I eventually tracked down to /dev/null being owned by xbmc and not writable by anyone elese:

$ ls -l /dev/null
crw--w---- 1 xbmc root 1, 3 Nov 8 00:56

Not good. Also tried with PAMName=login, same result.
Comment by Alain Kalker (ackalker) - Friday, 08 November 2013, 00:16 GMT
Also /dev/tty2 remains owned by xbmc even aftter stopping the service. Long delay on shutdown, too.
Comment by Andreas Radke (AndyRTR) - Thursday, 28 July 2016, 12:05 GMT
Dave, you should probably add the suggested files to gain full upstream compatibility.

Look how Fedora does it: (line 365)
http://pkgs.fedoraproject.org/cgit/rpms/util-linux.git/tree/util-linux.spec?id=e91f50c4067e02c29c88e494abc969c2682a9868

note: the Fedora package maintainer is also the upstream author ;)
Comment by Dave Reisner (falconindy) - Saturday, 05 January 2019, 15:30 GMT
We now have an /etc/pam.d/runuser{,-l} in testing/util-linux-2.33-3

Loading...