Lennart Poettering merged “su” command replacement into systemd: Test Drive on Fedora Rawhide

With this pull request systemd now support a su command functional and can create privileged sessions, that are fully isolated from the original session. Su is a classic UNIX command and used more than 30 years. Why su is bad? Lennart Poettering says:

Well, there have been long discussions about this, but the problem is that what su is supposed to do is very unclear. On one hand it’s supposed to open a new session and change a number of execution context parameters (uid, gid, env, …), and on the other it’s supposed to inherit a lot concepts from the originating session (tty, cgroup, audit, …). Since this is so weakly defined it’s a really weird mix&match of old and new paramters. To keep this somewhat managable we decided to only switch the absolute minimum over, and that excludes XDG_RUNTIME_DIR, specifically because XDG_RUNTIME_DIR is actually bound to the session/audit runtime and those we do not transition. Instead we simply unset it.

Long story short:  su is really a broken concept. It will given you kind of a shell, and it’s fine to use it for that, but it’s not a full login, and shouldn’t be mistaken for one.

THis has come up many times, but nothing really changed, hence closing this now. I understand this is confusing and unexpected, but well, that’s UNIX…

New feature included in latest version of systemd and we cat test it now:

$ cat /etc/os-release
NAME=Fedora VERSION="24 (Workstation Edition)"
ID=fedora
VERSION_ID=24
PRETTY_NAME="Fedora 24 (Workstation Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:24"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=Rawhide
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=Rawhide
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Workstation Edition"
VARIANT_ID=workstation

$systemctl --version
systemd 225
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
Fedora Rawhide
Fedora Rawhide

 

Login as superuser without su:

$ machinectl shell
Connected to the local host. Press ^] three times within 1s to exit session.
sh-4.3# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0
sh-4.3# whoami  
root
sh-4.3#
Login with machineclt
Login with machinectl

 

It works! We can work as superuser. And isn’t end: we can also set shell and host:

$ machinectl shell root@.host /bin/bash
Connected to the local host. Press ^] three times within 1s to exit session.
[root@localhost /]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0

Login as non-root user and set variable of shell environment:

$ id
uid=1000(paul) gid=1000(paul) groups=1000(paul) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
#1000 - UID of user `paul`
#SYSTEMD_TEST - test variable of user environment
$ machinectl shell --uid 1000 --setenv="SYSTEMD_TEST=777"
Connected to the local host. Press ^] three times within 1s to exit session. sh-4.3$ id uid=1000(paul) gid=1000(paul) groups=1000(paul) context=unconfined_u:unconfined_r:unconfined_t:s0
sh-4.3$ whoami
paul
sh-4.3$ export | grep -i systemd
export SYSTEMD_TEST="777"
sh-4.3$

Great! Our variable is defined. More complicated trick (thanks to Igor Gnatenko):

$ sudo systemd-run -p CPUQuota=50% -p PAMName=login -t /bin/bash -l

We run new shell session and set CPU quota only 50% – very useful if you have high load services.

Read also:

KDE Plasma 5.4 and KDE Apps on Wayland Test Drive

18 Years of GNOME Design and Software Evolution: Step by Step

LibreOffice Design Evolution 3.3 – 5.0 (2011-2015)

KolibriOS Review – Free 1 MB Drive/8MB RAM Assembly OS

A Introduction to Tox — Free & Open Source messenger with audio/video calls as Skype Alternative

  • Charlie Kravetz

    I see problems for the physically disabled unless the timer is able to be set by the user. Many of us can not hit any key three times in one second.

    • dr_jkl

      I agree. Unless this is configurable or its possible to revert and go back to su then this is going to be a problem.

    • Delusioned Ranter

      You hold it down.
      Also please don’t assume physically disabled people are also mentally disabled, this is incredibly rude and degrading towards both physically and mentally disabled persons.

      • Charlie Kravetz

        As a disabled person, I find your comment offensive. “Many of us . . .” should give you a clue that I am included in my own comment.

    • …and don’t you dare using any vi clones while running it, or try it with some serial consoles!

      • Charlie Kravetz

        Why jump on the insult wagon? Perhaps you feel not being perfect is wrong?

        • Ugh. I think I’ve been a bit too sarcastic here; I tried to point out that choosing triple-esc-press for closing session will interfere with both vi-like editors and plenty of serial console software. (In addition to the issues you’ve pointed out.)

          • John Hughes

            You’ve misread — it’s ^] (aka GS, group seperator), not ^[ (ESC).

            Same as Telnet and virsh.

    • aix tom

      Plus the additional two problems that I saw within 20 seconds of reading the screenshot:

      1) Until reading the comments I had now Idea what was meant by hitting a key three times in “ls”.
      2) The ] Key being one of those that are on a really inconvenient key combo on the standard German keyboard (Alt-GR / 9). Aside from making it even harder to hit three times in one second, there would always be the ambiguity whether this new shell actually uses the keyboard layout that the user had configured in his shell, or the layout root has configured in his profile (which than will in turn create problems on machines that have administrators from around the world share responsibility for, using their different keyboard layouts)

      It almost looks as if there was a “what is the most inconvenient keyboard combo we can come up with to close the shell?” And why the hell couldn’t they just go with the good old “exit” to get out of it?

      Somehow I have the feeling Poetterings solution would be to standardize keyboard layouts worldwide, to “make them compatible with systemd”

      • Paul Alberto Rufous

        Ctrl+D and “exit” also works nice,

  • Charlie Kravetz

    If you can not comment with your real name, then please stop insulting disabled people. Of course, cowards will always find it easier to hide behind anonymity.

    • Delusioned Ranter

      I’m a trans black woman and I will use my rights to anonymity to their fullest online. I’ve had death and rape threats as well as enough abuse it could have been used to send the ‘Third Reich’ in to the fetal position crying on the floor. I will not let people like you bully me for my choices by calling me a coward.

      • Justin Coffman

        No status or label that you have or have assigned yourself justifies hurling insults, let alone while hiding behind a veil of anonymity. That makes you both the bully AND the coward.

      • Nice acting, but still lacks authenticity.

  • chrismfz

    “`su` is really a broken concept. It will given you kind of a shell, and it’s fine to use it for that, but it’s not a full login.”
    And what su – is ? man su -, -l, –login make the shell a login shell, clears all envvars except for TERM, initializes HOME, SHELL, USER, LOGNAME and PATH.
    He needed do declare something that works for 30 years as broken so he can “fix” it. Poor kid with mental issues.

  • Justin Coffman

    While I don’t have many complaints about systemd in general (and I do work with it daily), the continuing trend of absorbing utilities and functions that have been the standard for decades simply for its own sake is troubling. This sort of unilateralism and change for the sake of change is why systemd has earned so much ire in the Linux community.

  • rootman

    broken concept..
    mmm yeah it has worked fine fora long time..
    Just complicate things more and ruin unix..

  • Tom Rand

    Lennart,
    Please stop declaring perfectly working concepts & applications/commands as “broken” just so you can consume them into your monolithic systemd.
    I have a better idea, why not just create you own distro/OS called systemd & leave linux alone.

    • Barney

      If you think Linux has no room for improvement then why not stick with Slackware 1.0 and just ignore everyone writing new things?

      • Tom Rand

        This is by no means of the word or term an improvement.
        su is not broken in any way!
        Will you only be happy when all system based commands are merged into systemd?

        Just because he is a RH dev does not mean that his bunch of crap must consume & assimilate all other system commands.
        All he wants is to make one blob of RH code that has so much control everything else has it as a dependency & then RH will leverage it as their intellectual property.

        So many try to back him up but in all honesty where is the evidence that su is broken?
        Or better yet where is the evidence that everything else this has consume was also broken??

        • Cristian Rodriguez

          Su is a totally broken concept..that’s why among other things.. sudo was created..:-) The main purpose of machinectl shell is to open a fully operational root session in the containers that tool manages. (that’s why it is not called systemctl su or systemd-sudo) it happens to work with localhost too, because unlike the old unix utilities this one does not suck at integration and transparency.

          Redhat does not have any intellectual property on systemd, and is not a single blob..all you say is completely wrong revealing your utter ignorance.

          • Markus Heiler

            su was not broken, the fact that sudo was created shows that those who created it added something that was broken. I am sorry that you are not able to manage your systems properly.

            The main function of machinectl shell is to devour bash and integrate it. Why else would you assume that it is needed suddenly when in the years before, it was not needed?

            And the old unix utilities worked fine, guess how Linus got the Linux kernel started back in the days?

            Redhat owns way too much already, it is not just Poettering who is on the payroll, there are a lot of developers working for Red Hat being disallowed from being critical to the mother company that gives them money.

            Who is paying you by the way?

      • Markus Heiler

        Why should he have to switch? That is something that you failed to address – not just to Tom Rand but to everyone else who complained about the hostile takeover from Red Hat here. Plus – you did not even address the complaints but went for ad hominem directly. Lame.

    • Yar Kirillov

      > I have a better idea, why not just create you own distro/OS called systemd & leave linux alone.
      Redhat/Fedora? 🙂

      • Tom Rand

        no

  • Disillusioned Charlie Kravetz

    I’m a trans black woman and I will use my rights to
    anonymity to their fullest online. I’ve had death and rape threats as
    well as enough abuse it could have been used to send the ‘Third Reich’
    in to the fetal position crying on the floor. I will not let people like
    you bully me for my choices by calling me a coward.

  • Ralf Muschall

    Scary. I guess I’ll continue to use “ssh -X -l root localhost” where everything works nicely.

    • Paul Alberto Rufous

      If you have running openssh-server on every machine.

    • Mark Bainter

      Until he re-implements “broken” ssh in systemd.

  • Bruno Santoni

    What is next? ls? “ls is broken and will be replaced with ‘systemctl show.directory content'” ….

  • sigsegv111 .

    you’re complete retard lennart … go and eat the bullet … epoch will replace your shit anyway soon