6

When I use ssh to log in to the root user on my server, an entry 0 is created in /var/run/user because pam_systemd tells systemd-logind to do this. This is an indicator that a user session has been started for uid 0.

Then, when I run su jack, I still only see the 0 entry in /var/run/user; no entry has been made for this session.

However, journalctl shows that a pam session was opened, and /etc/pam.d/su includes common-session, which adds session optional pam_systemd.so. So I think that a user session should have been created.

How can I make su create a user session?

If it's relevant, I'm on Debian 11.

jrpear
  • 404
  • Why do you need a full session? Have you tried su - jack ? – user10489 May 21 '22 at 20:00
  • I'm trying to get a full session so that systemctl --user works. su - jack didn't work either :( – jrpear May 21 '22 at 20:25
  • su is intended to allow for access with alternate credentials within another session. If you want a new session, you have to log in instead. – user10489 May 21 '22 at 21:11
  • How can I log in from within a running session? – jrpear May 21 '22 at 21:52
  • You can't. You have to start a new session, possibly on another terminal or through the network. – user10489 May 21 '22 at 21:54
  • Ahh so probably what's happening is logind explicitly refuses to launch a new session from within a running one. – jrpear May 21 '22 at 22:04
  • It's more like, it doesn't make sense to have a session inside another session, and there are no provisions within logind to create a session outside of the normal methods of logging in. Logind doesn't "refuse"; you just have not asked it correctly. – user10489 May 21 '22 at 23:00
  • 1
    I use loginctl enable-linger to make the user manager of a user start regardless of whether it has a session. When I also have some user service that starts e.g. tmux. Then I'll be able to systemctl --user if I attach to the same tmux server (by setting TMUX_TMPDIR) after su -. – Tom Yan May 22 '22 at 10:28
  • 1
    Relating https://unix.stackexchange.com/q/545328/117549 – Jeff Schaller May 22 '22 at 10:58
  • Also relating https://unix.stackexchange.com/a/615964/272848 – Stewart May 28 '22 at 06:26
  • This question isn't about sudo or su, it's about systemd. – user10489 May 28 '22 at 12:08

1 Answers1

3

The PAM module does not create a session if the current process is already a member of an existing session. I found the following workaround to create a session from an existing session:

systemd-run --system --scope \
    su -l

Basically you run su -l inside a system level scope, this is not part of the current user session and so the PAM module will create a session for the su -l process. Once the process has been moved to the session the temporary scope is empty and will be removed.

The only issue is that your current user must have the permission to create scopes at system level and you have to authenticate twice, once for the current user to authenticate creation of the scope and then again as the user for whom you want to create a session.

Reboot
  • 146