2

I'd like to learn about how systemd starts services, specifically which user the service is started as, and I'd like to use Jenkins running on my Linux PC as an example.

I know that init is pid 1, the mother of all processes in Linux, and in my case pid 1 belongs to systemd, which I can see from running top:

$ top
Tasks: 646 total,   1 running, 645 sleeping,   0 stopped,   0 zombie
%Cpu(s):  1.0 us,  0.6 sy,  0.0 ni, 97.0 id,  1.3 wa,  0.0 hi,  0.1 si,  0.0 st
MiB Mem : 257826.8 total, 198695.4 free,  28529.6 used,  30601.7 buff/cache
MiB Swap: 262012.0 total, 262012.0 free,      0.0 used. 227579.3 avail Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
    1 root      20   0  171284  11196   7904 S   0.3   0.0  31:49.54 systemd

I had naively assumed that because systemd runs as root, all services that it runs would run as root.
But I think that Jenkins is running as admin on my PC.
I tried to use systemctl to determine which user Jenkins was running as, but I didn't see any user info in the stdout:

user@linux_box:~$ systemctl status jenkins
● jenkins.service - LSB: Start Jenkins at boot time
   Loaded: loaded (/etc/init.d/jenkins; generated)
   Active: active (exited) since Fri 2023-05-05 11:50:06 PDT; 3 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 4915)
   Memory: 0B
   CGroup: /system.slice/jenkins.service

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
user@linux_box:~$

...so I tried ps aux:

user@linux_box:~$ ps aux | grep jenkins
admin  2042  0.0  0.0  14164   196 ?        S    May05   0:00 /usr/bin/daemon --name=admin --inherit --env=JENKINS_HOME=/home/admin/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/admin/admin.pid -- /usr/bin/java -Djava.awt.headless=true -jar /home/admin/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
admin  2043  1.7  5.3 48146100 14118144 ?   Sl   May05  83:41 /usr/bin/java -Djava.awt.headless=true -jar /home/admin/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080
admin 29932  0.0  0.0   6204   892 pts/1    S+   20:37   0:00 grep jenkins

...I think that leftmost column is saying that Jenkins is running as admin, no?

Can someone please explain the relationship between systemd, the user that it runs as vs. the user that services are run as? It would be great if the answer could tie that to what's specifically going on with Jenkins on this Linux PC.

StoneThrow
  • 1,717

2 Answers2

5

The default user that systemd uses for running system services is indeed root, but of course this customisable using the User option. From man 5 systemd.exec:

User=, Group=

Set the UNIX user or group that the processes are executed as, respectively. Takes a single user or group name, or a numeric ID as argument. For system services (services run by the system service manager, i.e. managed by PID 1) and for user services of the root user (services managed by root's instance of systemd --user), the default is "root", but User= may be used to specify a different user. [...]

In your Jenkins case, systemd is using a generated unit based on the sysv init script /etc/init.d/jenkins, so it's not using the User option (the generated units are very basic: How does systemd use /etc/init.d scripts?). The init script seems to be calling /usr/bin/daemon to start Jenkins, and from man 1 daemon:

The preparatory tasks that daemon performs for other processes are:
[...]

•   Change the process uid and gid if the --user option was supplied. Only root can use
    this option. Note that the uid of daemon itself is changed, rather than just changing
    the uid of the client process.

However, this option is not present in the ps output, so it might be using some other way to change the UID. Check the /etc/init.d/jenkins script to find out.

muru
  • 72,889
4

muru's answer is correct for most cases, however I want to add info about the --user bus.

systemd has two buses: --system and --user. The --system bus is the default and muru's answer applies to that. But you can also start services on the --user bus.

Unit files are found in /lib/systemd/user/ or ~/.config/systemd/user/ and these will be started as the user who invoked the service. With WantedBy=default.target the service will start when the user logs in, or with WantedBy=graphical.target it will start when the user gets a graphical session.

The user bus is not only an alternative to setting User= on the system bus. It provides a way to create an instance of a service per-user. For example, if you want to mount an sshfs directory to somewhere in a home directory, using that user's credentials, this can be done easily on the user bus.

Another feature is the user bus inherits the environment of the user. This includes things like DISPLAY and XAUTHORITY. This will help you to start GUI applications when a user logs into their desktop-environment. By contrast, setting User= on the system bus will fail to find the correct display (unless explicitly specified), and will often try to start the GUI app before the DE has even started.

Stewart
  • 13,677